Alerts

The Flowmon Monitoring Center allows you to automatically watch predefined network abnormalities and trigger specific actions when they appear. These are called alerts and they are defined using filters of the selected profile, conditions of execution, type of trigger, and action to be performed.

The list of all alerts and their statuses is displayed on the Alerts page. Details about the particular alerts can be displayed by clicking Details.

Creating New Alert

You can create a new alert by clicking New alert and filling in the New alert form.

• Profile - Select the parent profile.

• Channels - Select channels with data relevant to the alert. The All option means all channels including those added in the future.

• Filter - Enter the filter of the alert related to the parent profile. Conditions of execution depend on this filter.

• Evaluation rate - Select how often you would like the alert to be evaluated. A short period (high rate) is more resource intensive.

• Evaluation interval - Select the interval of time of the most recent history that the alert should be evaluated for. The left side values in Conditions will be based on the most recent history of the selected length.

• Evaluate - Select when the alert will be evaluated.

• Conditions of execution - Conditions of execution are defined either over a list of flows (conditions based on total flow summary) or over flow statistics (conditions based on individual Top 1 statistics) and they can be connected together (up to 6 conditions). You can add a new condition by clicking the plus icon on the right side of the condition parameters. At the beginning of the second and all the following conditions, it is possible to choose a logical operator used to connect the condition with the previous one (using and/or logic).

  Conditions of execution can be defined, for example, for the number of flows, packets, bytes, or NPM metrics going through the filter. This number is compared either with absolute value, with the average value for the selected time interval, or with the weekly baseline. This allows you to define adaptive filters for easy detection of peaks.

  The weekly baseline is only applied if the profile history is at least 7 days long. The traffic amount for the selected interval is compared with the average value for the same interval on the same day of the week (for example, the value for Monday at 12:10 is compared to the previous Monday at 12:10). The longer the profile history is, the better results this method provides. The maximum length of the history is 28 days (that is, four weeks).

  Also, it is possible to define the conditions of execution over Top 1 statistics.

• Trigger - Whenever the conditions of execution are satisfied, the selected action is triggered. According to your needs, it is possible to set the action to trigger Each time the conditions are satisfied, Once only,or Once only while the condition is valid. Furthermore, it is possible to set that repeated satisfaction of the conditions is needed to trigger the action and when the action is triggered, you can also disable its execution for the selected time period. If the trigger is set to Once only, the condition is invalidated after each trigger and you must activate it again by clicking Rearm in the alerts list.

• Action - Defines an action to be performed when the alert triggers. Usually, it is the sending of an email, executing a user-defined script, sending a syslog message in CEF format, or sending an SNMP trap. It is possible to choose more than one action.

  • When defining an email action, the Recipient field can contain one or more email addresses. Email addresses have to be separated by comma or semicolon characters.

User-defined Scripts

As an action for alert, a user-defined BASH script can be run (when the Run script box is checked). The script can be uploaded by pressing the button Browse. Specify the script parameters in the Script parameters field.

If the alert data (name, time, conditions, measured values) are needed in the user script, it is necessary to include mandatory code (see the following example script) which sets all alert variables.

The following user script example saves the alert name, timeslot, and the total number of bytes/packets/flows to the file defined by input parameter f.

Example of a user-defined script

#!/bin/bash
# shebang is mandatory
# start of mandatory part of source code
. /usr/libexec/fmc_alert_functions

input_json="$1"
parse_alert_data "$input_json"
# end of mandatory part of source code

# process user parameters
first_user_parameter="$2"

# work with alert information
echo "======ALERT INFO======"
echo "Alert name: $ALERT_NAME"
echo "Alert timeslot: $ALERT_TIMESLOT"
echo "My parameter: $first_user_parameter"

List of variables

ALERT_NAME=Alert's displayed name
ALERT_TIMESLOT=Timeslot
INTERNAL_NAME=Alert's identifier (UUID)
# Conditions and its values
CONDITION_COUNT=#Number of conditions
CONDITION1_WHAT=#Condition by flows/packets/bytes, and so on
CONDITION2_WHAT
CONDITION3_WHAT
CONDITION4_WHAT
CONDITION5_WHAT
CONDITION6_WHAT
CONDITION1_TYPE=#Condition total_summary/top_one
CONDITION2_TYPE
CONDITION3_TYPE
CONDITION4_TYPE
CONDITION5_TYPE
CONDITION6_TYPE
CONDITION1_COMPARE_BY=#Comparision operator and value to compare
CONDITION2_COMPARE_BY
CONDITION3_COMPARE_BY
CONDITION4_COMPARE_BY
CONDITION5_COMPARE_BY
CONDITION6_COMPARE_BY
CONDITION1_ACTUAL_VALUE=#Currently measured value
CONDITION2_ACTUAL_VALUE
CONDITION3_ACTUAL_VALUE
CONDITION4_ACTUAL_VALUE
CONDITION5_ACTUAL_VALUE
CONDITION6_ACTUAL_VALUE
CONDITION1_AVERAGE_VALUE=#Average value for X minutes/hours/days (average values conditions) or the value of the top one statistic key (for top one conditions) otherwise empty
CONDITION2_AVERAGE_VALUE
CONDITION3_AVERAGE_VALUE
CONDITION4_AVERAGE_VALUE
CONDITION5_AVERAGE_VALUE
CONDITION6_AVERAGE_VALUE
CONDITION1_RESULT=#How the condition was evaluated "true" or "false"
CONDITION2_RESULT
CONDITION3_RESULT
CONDITION4_RESULT
CONDITION5_RESULT
CONDITION6_RESULT
CONDITION1_BINARY_OPERATION=#Binary operation of condition "or" or "and"
CONDITION2_BINARY_OPERATION
CONDITION3_BINARY_OPERATION
CONDITION4_BINARY_OPERATION
CONDITION5_BINARY_OPERATION
CONDITION6_BINARY_OPERATION

To test the correct function of the script, click Save and test script. A window pops up with information about each performed script action.

Notable changes compared to Flowmon 12 and older versions

• Shebang in a user script is required, for example, #! /bin/bash
• CONDITION_COUNTER is now called CONDITION_COUNT
• ALERT_BASED_ON was replaced by condition-specific CONDITION1_TYPE, CONDITION2_TYPE, and so on.
• TOP1_DATA, SUMMARY_BYTES, SUMMARY_PACKETS, SUMMARY_FLOWS, SUMMARY_BPS, SUMMARY_PPS, and SUMMARY_BPP were removed. Use a condition specific value instead.
• CONDITION1_AVERAGE_VALUE, CONDITION2_AVERAGE_VALUE, and so on are now set to the value of the top one statistic key for the top one condition.

Alert Status

The alert status is displayed in the Status column of the alerts table and it is also visible in the top left corner of the alert details dialog. The status can be one of the following:

Alert Details

After clicking Details in the alerts list, the following form shows up. It displays details of the selected alert.

The upper part of the form contains the current status of the alert, the date and time it was last triggered, the state of conditions evaluation, and the action to be performed. The bottom part of the form contains a chart showing the flow of average network traffic values. You can use the values in the chart to specify more exact conditions of execution. The vertical cursor (vertical lines) in the chart marks when the trigger was lastly triggered.

The table under the chart displays the average values of network traffic for the most recent specified period in flows, packets, and bytes. You can use the radio buttons above the tables to switch the chart units.