Contents
1. NEXThink Alerts
1.1. Concept
NEXThink Alerts are notifications of the latest relevant information generated by NEXThink Engine. Two types of NEXThink Alerts are available.
Investigation-based alerts are configurable Alerts available for any NEXThink Finder user.
A System alert is a predefined set of information about the health of NEXThink Engine and is delivered via email by default. System alert configuration is not managed via Finder
This section only covers Investigation-based alerts, hereafter referred to simply as alerts.
For admin users, NEXThink Alerts are shown in the Home Tab of Finder (immediate and hourly alerts on sources only), recorded as syslog messages or delivered as emails.
For non admin users, NEXThink Alerts are shown in the Home Tab of Finder (immediate and hourly alerts on sources only) or delivered as emails.
1.2. Requirements
In order to receive email Alerts, the following is required:
The SMTP Server must be configured on the NEXThink Engine Webconsole. See Engine SMTP parameters for Alerting for more information.
- A user account must be created and populated with a valid email address
2. Alerts
Finder enables you to create new alerts or use a more powerful technique by which an autonomous alert can be easily created from an existing object investigation. This alert can then be duplicated and further modified to create a series of autonomous alerts.
2.1. Enable Alerts
Alerts can be sent to each NEXThink Finder account. For email Alerts, the email address configured in the account is used by default. The email configuration of a Finder account is available in the preferences dialog or via the accounts management interface in the admin account. Additional recipients can also be configured on a per-Alerts basis, in the Alerts configuration section (see below).
Alerts also appear in the Source View; see doc/4.0.0/WorkingWithFinder/Explore/UsingSourceView
2.2. Creating a New Alert
You can create a new alert by clicking on the Settings section of Finder, selecting "Global alerts" or "My alerts" (depending on whether you are logged in as an admin or non-admin user) and then right-clicking in a blank space in the Settings section of Finder as shown below. Note that the screenshot is shown for an admin user.
Creating an Alert
Editing an Alert
The process of creating a new alert is the same as creating one from an investigation, other than when you create one from an investigation, virtually all of the settings have already been correctly configured and proven to work. Hence, before creating them from new, it is best to gain experience in creating alerts by basing them on investigations as discussed next.
2.3. Creating an Alert from an Investigation
Each Finder user can configure his own alerts. To configure an alert, the user must connect to the Engine with his personal account. NEXThink Alerts can be activated for any existing object investigation. If the investigation is not an object investigation; the "add to alert" option doesn't appear.
Right-click the investigation you wish to use as a basis for your alert
Click on Add to alerts
Adding an Alert
- This creates an alert based on the investigation and opens it up for modification in the right hand pane of Finder. Modify the conditions for the alert if the initial conditions copied from the parent investigation doesn't meet your requirements, then scroll down to the Alert section at the bottom of the conditions pane. Note that the available Alert options differ depending on whether you log in with an Admin or User account per the screenshots below.
Alert configuration options for an Admin user of Finder
Alert configuration options for a non-Admin user of Finder
2. Use the Alert configuration dialog to set-up the alert.
Criticality can be set to Normal or High.
A Normal alert is displayed in yellow in Finder and High alerts are displayed in red, with the colours appearing darker as the number of alerts in the monitoring timeframe increases.Actions determines how the alert is logged or advised. Any or all of the actions below can be set:
Show in Home the alert will be visible in the top of the Finder Home Tab view and its latest occurrences will loop at the bottom of Finder - see example image below. This option can only be activated for immediate or hourly alerts having Source as target object.
Send syslog records the alert in the Engine syslog, which can be inspected via the Engine Console
Send e-mail sends an email to the Finder user (mandatory for non-admin users), with the Finder user able to set up a list of additional email recipients if desired.
Frequency schedules reporting frequency as follows:
Immediate will log the result or send an email whenever the investigation returns a non-empty result.
Hourly will report the investigation's results once an hour at quarter past the hour
Daily will report the investigation's results once per day, sent at a quarter past midnight
Weekly will report the investigation's results once a week at a quarter part midnight on Monday
- Note that emails are not sent if there is nothing to report. Below is an example of an Alert shown at the base of Finder when in Home mode. The Home Tab data is refreshed once every 5 minutes and up to 10 of the last received alerts are shown in this location in a repeating loop.
Latest alerts cycling through at base of Finder
2.4. Alert Validation and Feedback
As you configure an alert, Finder assesses the attributes you have set for validity and warns you if the alert is not practical by showing a warning indication (red ball). Hovering the mouse over the indicator pops up a message suggesting changes that will enable the alert to function. You will not be able to save the alert until you have configured valid attributes.
Finder validates your Alert settings and provides feedback on incompatible settings
2.5. Working with an existing Alert
If an alert is already configured, you have a great deal of control over the alert through Finder Settings.
Click on Settings in the right hand Finder panel. This should show Global alerts in Select Section: - see below
Global alerts section in Finder Settings
Edit opens the Investigation configuration panel in the right Finder frame so you can change the alert configuration
Run runs the investigation, showing any alerts in the right hand Finder frame
Export provides options to export the Alert configuration file as an xml statement to the Clipboard or to a file (in this case a file save dialog is presented)
Duplicate creates 'Copy of (Investigation Alert name)', providing you with an easy way of creating an alert modelled on an existing alert
Delete deletes the alert
Rename renames the alert
Show last alert displays the last alert in Finder's right hand panel
Disable/Enable either disables or enables the alert - this entry toggles depending on the current alert state
3. System Alerts
3.1. Enable System Alerts
System alerts are sent to the admin account only of NEXThink Finder. Configure a valid email address for the admin account to receive the system alerts.
3.2. System Alert List
3.2.1. License Alerts
Maximum number of licensed sources reached
- This alert occurs when the NEXThink Engine license is near expiry. It is triggered daily starting 6 days before license expiration.
3.2.2. Limit Alerts
Too many processes started by executable [executable name] on [source ip]/[computer name]
This alert is triggered when more than 10000 processes have been started on a machine withing 15 minutes.
Too many connections generated by executable [executable name] on [source ip]/[computer name]
- This alert is triggered when more than 10000 connections have been made by a process on a machine withing 15 minutes.
3.2.3. Internal Alerts
Server started
- This alert is triggered when the NEXThink Engine reboots
3.2.4. Server Crash
Server crash
- This alert is triggered when the NEXThink Engine reboots and finds a minidump in the database directory.