Attachments

doc/3.2.4/Working With Finder/Using NEXThink Alerts

Contents

  1. NEXThink Alerts
    1. Concept
    2. Requirements
  2. Investigation-based Alerts
    1. Enable Investigation-based Alerts
    2. Create an Investigation-based Alert
      1. Advanced Alert configuration options
    3. Configure an existing Investigation-based Alert
    4. Disable an existing Investigation-based Alert
  3. System Alerts
    1. Enable System Alerts
    2. System Alert List
      1. License Alerts
      2. Limit Alerts
      3. Internal Alerts
      4. Server Crash

1. NEXThink Alerts

1.1. Concept

NEXThink Alerts are notifications of the latest relevant information generated by NEXThink Engine. Two types of NEXThink Alerts are available.

  • System alerts is a predefined set of information about the health of NEXThink Engine.

  • Investigation-based alerts are configurable elements available for any NEXThink Finder’s user.

NEXThink Alerts are delivered as email or syslog messages.

1.2. Requirements

  • In order to receive email Alerts, the SMTP Server must be configured on NEXThink Engine Webconsole. See Engine SMTP parameter for Alerting for more information.

  • User account created with a valid email address.

2. Investigation-based Alerts

2.1. Enable Investigation-based Alerts

Investigation-based alerts can be sent to each NEXThink Finder account. For email Alerts, the email address configured in the account is used by default. The email configuration of a Finder account is available in the preferences dialog or via the accounts management interface in the admin account. Additional recipients can also be configured on a per-Alerts basis, in the advanced section of the Alerts configuration dialog (see below).

2.2. Create an Investigation-based Alert

Each Finder's user can configure his own alerts. To configure the alerts, the user must connect to the Engine with his personal account. NEXThink Alerts can be activated for any existing investigation.

  1. Right-click the investigation you wish to monitor

    • Choose Enable alerts...

    • enable_alerts.png

  2. Use the Alerts configuration dialog to set-up the alert:

    • alerts_configuration_simple.PNG

    • Frequency schedules the period of monitoring:

      • Hourly to receive once per hour the investigation's results.

      • Daily to receive once per day the investigation's results.

      • Weekly to receive once per week the investigation's results.

    • Name is the e-mail subject name (per default, the name of the investigation).

    • Description is the e-mail content (per default, the description of the investigation). The alert icon is added to the investigation.

  3. An icon on the investigation indicates the alert configuration.

    • alert_icon.png

2.2.1. Advanced Alert configuration options

Clicking on the Advanced button in the Alerts configuration dialog reveals the following additional options:

  • alerts_configuration_advanced.PNG

  • Action sets the alerting action

    • Send email to have an email sent (default setting).

    • Send syslog message to have a message sent into syslog.

    • Send email and syslog message to have both actions happening.

  • Send email to ... and the following addresses:

    • Free text entry for specifying email recipients. Note that if it is configured, the account email address is always used.

2.3. Configure an existing Investigation-based Alert

If an alert is already configured, you can change the settings.

  • Right-click the investigation you wish to configure

  • Choose Configure alerts...

    • configure_alerts.png

  • Use the E-mail alerts configuration to set-up the alert

2.4. Disable an existing Investigation-based Alert

If an alert is already configured, you can disable it.

  • Right-click the investigation you wish to configure

  • Choose Disable alerts

    • disable_alerts.png

3. System Alerts

3.1. Enable System Alerts

System alerts are sent to the admin account only of NEXThink Finder. Configure a valid email address for the admin account to receive the system alerts.

3.2. System Alert List

3.2.1. License Alerts

Maximum number of licensed sources reached

  • This alert is triggered when the NEXThink Engine license has expired. [days] left before license expiration This alert is triggered every day starting 6 days before license expiration.

3.2.2. Limit Alerts

Too many processes started by executable [executable name] on [source ip]/[computer name]

  • This alert is triggered when more than 10000 processes have been started on a machine withing 15 minutes.

Too many connections generated by executable [executable name] on [source ip]/[computer name]

  • This alert is triggered when more than 10000 connections have been made by a process on a machine withing 15 minutes.

3.2.3. Internal Alerts

Server started

  • This alert is triggered when the NEXThink Engine reboots

3.2.4. Server Crash

Server crash

  • This alert is triggered when the NEXThink Engine reboots and finds a minidump in the database directory.
last modified 2010-05-19 13:40:17