Supported Settings for UNUM Alerts
Use Cases
There are features and functions used in Arista NetVisor UNUM and Insight Analytics that are common throughout the user interface (UI). Please refer to the Common Functions section for more information on the use of these functions and features.
The following Use Cases are examples of configuring Alerts in NetVisor UNUM.
•Switch CPU Exceed Limit Alert
•Switch Memory Limit Exceed Alert
•Fabric Node State Change Alert
•Port Scanning / SYN Attack / SYN Flood Alert
Alert Details
Create Alerts using the following parameters. The interface prompts you for mandatory fields.
•Classification allows the user to identify the severity of the alert sent, i.e., Critical / Warning / Information.
•Alert Name of your choice.
•Index Name, choose the appropriate indices from Elasticsearch.
•Optionally, you can select the Index Type for the selected Elasticsearch index.
•Select the Time Field for the index.
•Optionally, enter the Alert Tags which helps you to search the Alert based on the tags.
Please refer to the menu configuration settings in the Alerts section for more information.
Available Index Patterns
The Use Cases are built upon the following Index Patterns.
|
Index Patterns |
Notes |
|
all-auditlogs |
Audit information for events such as, login, logout, licenses added, etc. |
|
all-connections |
Connections captured every 60 seconds. |
|
all-fabricresources |
Fabric dashboard information such as VLANS, Tunnels, VFR and VNI. |
|
all-hwutils |
Fabric dashboard, L2 / L3, Routes and vFlow switch information. |
|
all-meshpings |
Mesh ping information such as ping failures. |
|
all-portstatss |
Port information captured every 5 seconds. |
|
all-snmptraps |
SNMP traps captured by NetVisor UNUM - requires SNMP to be configured. |
|
all-syslogs |
Syslog events captured by NetVisor UNUM - requires Syslog to be configured. |
|
all-systemstatss |
CPU and memory information captured every 30 seconds. |
|
all-tunnelstatss |
Tunnel statistics captured every 5 seconds. |
|
all-vports |
vPorts details captured every 60 seconds. |
Before configuring Alerts, first enter the Index Patterns based on the type of data you require.
Please refer to the menu configuration settings in the Alerts section for more information.
Alert Condition
Configure different types of alerts using the Rule Type parameter. Below are the details on the supported Rule Type and the corresponding settings.
•Rule type – monitoring pattern for a rule
•Threshold – Match on any event matching a given filter
•Spike – Match when the rate of events increases or decreases
•New value – Match when a never before seen value appears in a field
•Repeated value – Match when a repeated value appears in a field
•Flatline – when event threshold attains dead state i.e., threshold < 1
Please refer to the menu configuration settings in the Alerts section for more information.
Schedule Detail
If you would like to schedule the alerts, enable the Schedule section checkbox, and specify the following details.
If you don’t want your alert generated, uncheck the Schedule section checkbox.
1.Set up the schedule for the alert by selecting the Frequency Type as “Hourly,” “Daily,” “Weekly,” “Monthly,” “Yearly,” or “Custom.”
2.Enter the scheduled frequency time in the Schedule Frequency Time section to schedule alert generation.
3.Enter the start time to generate the alert from the Start Time field
Please refer to the menu configuration settings in the Alerts section for more information.
Alert Action
Set Alert notifications by selecting the Alert action checkbox option. If you do not want the alert, clear the checkbox.
The supported alert actions include:
1.Send alerts to Email.
2.Send alerts to the Elasticsearch index.
Please refer to the menu configuration settings in the Alerts section for more information.
Use Case # 1 - Switch CPU Exceed LIMIT ALERT
In this example, NetVisor UNUM generates an alert if the CPU load rises above 80% at least 20 times in the last 15 minutes running at a scheduled interval of one minute. To distinguish whether or not the CPU load is a temporary spike or the CPU is continuously overburdened, we recommend these settings.
Settings
|
Type of Warning |
Critical |
|
Alert Name |
CPU Load |
|
Index Pattern |
all-systemstats* |
|
Index Type |
systemstats |
|
Time Field |
readTime |
|
Rule Type |
Threshold |
|
Keyword Filter |
* |
|
Aggregation Filter |
Count > 20 |
|
Query Filter |
Select either your Fabric Name or your Switch Name |
|
Query Filter |
cpuSys Must be > 80 |
|
Time Window |
15 Minutes |
|
Schedule |
√ Checked |
|
Frequency |
Select your run frequency starting from the next minute based on your system clock. |
|
Alert Action |
√ Checked - Please refer to the menu configuration settings in the Alerts section for more information. |
Result: A generated Alert for "CPU Load" with a threshold greater than 80% when it hit more than 10 times for the last 15 minutes.
Use Case # 2 - SWITCH MEMORY LIMIT EXCEED ALERT
In this example, NetVisor UNUM generates an alert if memory capacity exceeded 70% at least 10 times in the last week, running at a scheduled interval of one minute. This alert helps monitor for switch memory load.
Settings
|
Type of Warning |
Warning |
|
Alert Name |
Memory Load |
|
Index Pattern |
all-systemstats* |
|
Index Type |
systemstats |
|
Time Field |
readTime |
|
Rule Type |
Threshold |
|
Keyword Filter |
* |
|
Aggregation Filter |
Count > 10 |
|
Query Filter |
usedMem Must be > 70 |
|
Time Window |
1 Week |
|
Schedule |
√ Checked |
|
Frequency |
Select your run frequency starting from the next minute based on your system clock. |
|
Alert Action |
√ Checked - Please refer to the menu configuration settings in the Alerts section for more information. |
Result: Alert for "Memory Load" with a threshold set to greater than 70% generated when it hit more than 10 times for the last 1 week scheduled to check every 1 min.
Use Case # 3 - LINK DOWN ALERT
In this example, NetVisor UNUM generates a Link Down Alert when a specific port goes down more than 5 times, scheduled to check every single minute daily. This alert triggers whenever a port flaps due to software or hardware issues.
Settings
|
Type of Warning |
Critical |
|
Alert Name |
Link Down |
|
Index Pattern |
all-syslog* |
|
Index Type |
syslog |
|
Time Field |
@timestamp |
|
Rule Type |
Threshold |
|
Keyword Filter |
* |
|
Aggregation Filter |
Count > 5 |
|
Query Filter |
sd.category Must be == event |
|
Query Filter |
switchName Must be == (Enter your Switch Name). |
|
Query Filter |
id Must be == 11003 |
|
Time Window |
1 Day |
|
Schedule |
√ Checked |
|
Frequency |
Select your run frequency starting from the next minute based on your system clock. |
|
Alert Action |
√ Checked - Please refer to the menu configuration settings in the Alerts section for more information. |
Result: Alert for Link Down generated when a specific port or any Port went down more than 5 times for the given schedule.
Use Case # 4 - LINK UP ALERT
In this example, NetVisor UNUM generates a Link UP Alert when a specific port goes up more than 5 times, scheduled to check every minute daily. This alert triggers whenever a port flaps due to software or hardware issues.
Settings
|
Type of Warning |
Critical |
|
Alert Name |
Link Up |
|
Index Pattern |
all-syslog* |
|
Index Type |
syslog |
|
Time Field |
@timestamp |
|
Rule Type |
Threshold |
|
Keyword Filter |
* |
|
Aggregation Filter |
Count > 5 |
|
Query Filter |
sd.category Must be == event |
|
Query Filter |
switchName Must be == (Enter your Switch Name). |
|
Query Filter |
id Must be == 11002 |
|
Time Window |
1 Day |
|
Schedule |
√ Checked |
|
Frequency |
Select your run frequency starting from the next minute based on your system clock. |
|
Alert Action |
√ Checked - Please refer to the menu configuration settings in the Alerts section for more information. |
Result: Alert for Link Up generated when a specific port or any Port went up more than 5 times for the given schedule.
Use Case # 5 - MULTIPLE LOGIN FAILURE ALERT
In this example, NetVisor UNUM generates a Login Failed Alert when a specific unauthorized user attempts to login more than 5 times, and the user failed to login. Scheduled to check every minute this alert triggers immediately as long as the unauthorized user continues to attempt a login to the device.
Settings
|
Type of Warning |
Critical |
|
Alert Name |
Login Failure |
|
Index Pattern |
all-syslog* |
|
Index Type |
syslog |
|
Time Field |
@timestamp |
|
Rule Type |
Threshold |
|
Keyword Filter |
* |
|
Aggregation Filter |
Count > 5 |
|
Query Filter |
sd.category Must be == audit |
|
Query Filter |
switchName Must be == (Enter your Switch Name). |
|
Query Filter |
id Must be == 11103 |
|
Time Window |
1 Day |
|
Schedule |
√ Checked |
|
Frequency |
Select your run frequency starting from the next minute based on your system clock. |
|
Alert Action |
√ Checked - Please refer to the menu configuration settings in the Alerts section for more information. |
Use Case # 6 - FABRIC Node State CHANGE ALERT
In this example, NetVisor UNUM generates a Fabric Node State Change Alert when specific node state changes occur, scheduled to check every minute. This alert triggers whenever a switch goes down or problems exist with the NetVisor OS OS on a particular switch due to software or hardware issues if it happens more than 5 times daily.
Settings
|
Type of Warning |
Critical |
|
Alert Name |
Fabric Node State Change |
|
Index Pattern |
all-syslog* |
|
Index Type |
syslog |
|
Time Field |
@timestamp |
|
Rule Type |
Threshold |
|
Keyword Filter |
* |
|
Aggregation Filter |
Count > 5 |
|
Query Filter |
switchName Must be == (Enter your Switch Name). |
|
Query Filter |
sd.category Must be == system |
|
Query Filter |
id Must be == 11403 |
|
Time Window |
1 Day |
|
Schedule |
√ Checked |
|
Frequency |
Select your run frequency starting from the next minute based on your system clock. |
|
Alert Action |
√ Checked - Please refer to the menu configuration settings in the Alerts section for more information. |
Result: Alert for Fabric Node Change Alert generated when specific Node state changes for more than 5 times scheduled to check every single minute.
Use Case # 7 - Excessive Packet Drops Alert
In this example, NetVisor UNUM generates an Excessive Drop Alert when there are excessive packet drops measured in iDiscards/oDiscards, scheduled to check every minute daily. This alert triggers when a physical port is not functioning correctly or a specific software queue or the CPU is dropping packets.
Settings
|
Type of Warning |
Critical |
|
Alert Name |
Excessive Packet Drop |
|
Index Pattern |
*.ports* |
|
Index Type |
portstats |
|
Time Field |
readTime |
|
Rule Type |
Threshold |
|
Keyword Filter |
* |
|
Aggregation Filter |
Count > 0 |
|
Query Filter |
diffInput.discards Must be > 50 |
|
Time Window |
15 Minutes |
|
Schedule |
√ Checked |
|
Frequency |
Select your run frequency starting from the next minute based on your system clock. |
|
Alert Action |
√ Checked - Please refer to the menu configuration settings in the Alerts section for more information. |
Result: Alert for Excessive Packet Drop generated when packets dropped observed in terms of iDiscard/oDiscards for specific threshold configured and scheduled to check every single minute.
Use Case # 8 - PORT SCANNING / SYN ATTACK / SYN FLOOD ALERT
In this example, NetVisor UNUM generates a Port Scanning Alert when there are 50 sync connections within 15 minutes, scheduled to check every minute daily.
Settings
|
Type of Warning |
Critical |
|
Alert Name |
Possible Port Scan |
|
Index Pattern |
all-connections* |
|
Index Type |
connection |
|
Time Field |
startedTime |
|
Rule Type |
Threshold |
|
Keyword Filter |
* |
|
Aggregation Filter |
Count > 50 |
|
Query Filter |
curState Must be == SYN |
|
GROUP BY |
√ Checked |
|
Select Fields |
srcIp |
|
ORDER |
Descending |
|
Number of Documents |
5 |
|
Time Window |
15 Minutes |
|
Schedule |
√ Checked |
|
Frequency |
Select your run frequency starting from the next minute based on your system clock. |
|
Alert Action |
√ Checked - Please refer to the menu configuration settings in the Alerts section for more information. |
Result: Alert for Port Scan/Syn Attach generated when there are continuous SYN messages for more than 15 minutes, and scheduled to check every minute.
Use Case # 9 - MAC MOVE EXCEEDED ALERT
In this example, NetVisor UNUM generates a MAC Move Exceeded Alert when there are more than 10 moves in a day, scheduled to check every minute daily. When a MAC address appears in a different physical interface or within a different unit of the same physical interface, and if this behavior occurs frequently, it is considered a MAC move. Configuration errors in the Layer 2 network can force traffic into never-ending circular paths.
Settings
|
Type of Warning |
Critical |
|
Alert Name |
MAC Move Exceed Alert |
|
Index Pattern |
all-syslog* |
|
Index Type |
syslog |
|
Time Field |
@timestamp |
|
Rule Type |
Threshold |
|
Keyword Filter |
* |
|
Aggregation Filter |
Count > 10 |
|
Query Filter |
sd.category Must be == system |
|
Query Filter |
Select either your Fabric Name or your Switch Name |
|
Query Filter |
id Must be == 11329 |
|
Time Window |
1 Day |
|
Schedule |
√ Checked |
|
Frequency |
Select your run frequency starting from the next minute based on your system clock. |
|
Alert Action |
√ Checked - Please refer to the menu configuration settings in the Alerts section for more information. |
Result: Alert for MAC Move Exceeded generated when there are continuous MAC MOVE messages in Syslog more than 10 and scheduled to check every single minute.
Use Case # 10 - Port Utilization
In this example, NetVisor UNUM generates a Port Utilization Alert when port usage exceeds 80% more than 20 times in 15 minutes.
|
Type of Warning |
Warning |
|
Alert Name |
Port Utilization Alert |
|
Index Pattern |
.portstats-v* |
|
Index Type |
portstats |
|
Time Field |
readtime |
|
Rule Type |
Threshold |
|
Keyword Filter |
* |
|
Aggregation Filter |
Count > 20 |
|
Query Filter |
diffinput.utilization |
|
Query Filter |
Must be |
|
Query Filter |
> 80 |
|
Time Window |
Last 15 Minutes |
|
Schedule |
√ Checked |
|
Frequency |
Select your run frequency starting from the next minute based on your system clock. |
|
Alert Action |
√ Checked - Please refer to the menu configuration settings in the Alerts section for more information. |
Result: Alert for Port Utilization gets generated when there is a match based on the above criteria, scheduled to check every single minute.
Use Case # 11 - Port Errors
In this example, NetVisor UNUM generates a Port Errors Alert when port errors exceed 50 in 15 minutes.
|
Type of Warning |
Warning |
|
Alert Name |
Port Errors |
|
Index Pattern |
.port* |
|
Index Type |
portstats |
|
Time Field |
readtime |
|
Rule Type |
Threshold |
|
Keyword Filter |
* |
|
Aggregation Filter |
Count > 0 |
|
Query Filter |
diffinput.errors |
|
Query Filter |
Must be |
|
Query Filter |
> 50 |
|
Time Window |
Last 15 Minutes |
|
Schedule |
√ Checked |
|
Frequency |
Select your run frequency starting from the next minute based on your system clock. |
|
Alert Action |
√ Checked - Please refer to the menu configuration settings in the Alerts section for more information. |
Result: Alert for Port Errors gets generated when there is a match based on the above criteria, scheduled to check every single minute.
Use Case # 12 - Port Congestion Drops
In this example, NetVisor UNUM generates a Port Congestion Drops Alert when port congestion exceeds 50 more than 5 times in 15 minutes.
|
Type of Warning |
Warning |
|
Alert Name |
Port Errors |
|
Index Pattern |
*.port* |
|
Index Type |
portstats |
|
Time Field |
readtime |
|
Rule Type |
Threshold |
|
Keyword Filter |
* |
|
Aggregation Filter |
Count > 5 |
|
Query Filter |
diffinput.congestionDropPkts |
|
Query Filter |
Must be |
|
Query Filter |
> 50 |
|
Time Window |
Last 15 Minutes |
|
Schedule |
√ Checked |
|
Frequency |
Select your run frequency starting from the next minute based on your system clock. |
|
Alert Action |
√ Checked - Please refer to the menu configuration settings in the Alerts section for more information. |
Result: Alert for Port Congestion Drops gets generated when there is a match based on the above criteria, scheduled to check every single minute.