Use Cases


There are features and functions used in Arista NetVisor UNUM and Insight Analytics that are common throughout the user interface (UI). Please refer to the Common Functions section for more information on the use of these functions and features.


The following Use Cases are examples of configuring Alerts in NetVisor UNUM.


Switch CPU Exceed Limit Alert

Switch Memory Limit Exceed Alert

Link Down Alert

Link Up Alert

Multiple Login Failure Alert

Fabric Node State Change Alert

Excessive Packet Drops Alert

Port Scanning / SYN Attack / SYN Flood Alert

MAC Move Exceeded Alert

Port Utilization Alert

Port Errors

Port Congestion Drops




Alert Details


Create Alerts using the following parameters. The interface prompts you for mandatory fields.


Classification allows the user to identify the severity of the alert sent, i.e., Critical / Warning / Information.

Alert Name of your choice.

Index Name, choose the appropriate indices from Elasticsearch.

Optionally, you can select the Index Type for the selected Elasticsearch index.

Select the Time Field for the index.

Optionally, enter the Alert Tags which helps you to search the Alert based on the tags.


Please refer to the menu configuration settings in the Alerts section for more information.




Available Index Patterns


The Use Cases are built upon the following Index Patterns.


Index Patterns

Notes

all-auditlogs

Audit information for events such as, login, logout, licenses added, etc.

all-connections

Connections captured every 60 seconds.

all-fabricresources

Fabric dashboard information such as VLANS, Tunnels, VFR and VNI.

all-hwutils

Fabric dashboard, L2 / L3, Routes and vFlow switch information.

all-meshpings

Mesh ping information such as ping failures.

all-portstatss

Port information captured every 5 seconds.

all-snmptraps

SNMP traps captured by NetVisor UNUM - requires SNMP to be configured.

all-syslogs

Syslog events captured by NetVisor UNUM - requires Syslog to be configured.

all-systemstatss

CPU and memory information captured every 30 seconds.

all-tunnelstatss

Tunnel statistics captured every 5 seconds.

all-vports

vPorts details captured every 60 seconds.


Before configuring Alerts, first enter the Index Patterns based on the type of data you require.


Please refer to the menu configuration settings in the Alerts section for more information.




Alert Condition


Configure different types of alerts using the Rule Type parameter. Below are the details on the supported Rule Type and the corresponding settings.


Rule type – monitoring pattern for a rule

Threshold – Match on any event matching a given filter

Spike – Match when the rate of events increases or decreases

New value – Match when a never before seen value appears in a field

Repeated value – Match when a repeated value appears in a field

Flatline – when event threshold attains dead state i.e., threshold < 1


Please refer to the menu configuration settings in the Alerts section for more information.




Schedule Detail


If you would like to schedule the alerts, enable the Schedule section checkbox, and specify the following details.


If you don’t want your alert generated, uncheck the Schedule section checkbox.


1.Set up the schedule for the alert by selecting the Frequency Type as “Hourly,” “Daily,” “Weekly,” “Monthly,” “Yearly,” or “Custom.”

2.Enter the scheduled frequency time in the Schedule Frequency Time section to schedule alert generation.

3.Enter the start time to generate the alert from the Start Time field


Please refer to the menu configuration settings in the Alerts section for more information.




Alert Action


Set Alert notifications by selecting the Alert action checkbox option. If you do not want the alert, clear the checkbox.


The supported alert actions include:


1.Send alerts to Email.

2.Send alerts to the Elasticsearch index.


Please refer to the menu configuration settings in the Alerts section for more information.




Use Case # 1 - Switch CPU Exceed LIMIT ALERT


In this example, NetVisor UNUM generates an alert if the CPU load rises above 80% at least 20 times in the last 15 minutes running at a scheduled interval of one minute. To distinguish whether or not the CPU load is a temporary spike or the CPU is continuously overburdened, we recommend these settings.


Settings


Type of Warning

Critical

Alert Name

CPU Load

Index Pattern

all-systemstats*

Index Type

systemstats

Time Field

readTime

Rule Type

Threshold

Keyword Filter

*

Aggregation Filter

Count > 20

Query Filter

Select either your Fabric Name or your Switch Name

Query Filter

cpuSys Must be > 80

Time Window

15 Minutes

Schedule

Checked

Frequency

Select your run frequency starting from the next minute based on your system clock.

Alert Action

Checked - Please refer to the menu configuration settings in the Alerts section for more information.


Result: A generated Alert for "CPU Load" with a threshold greater than 80%  when it hit more than 10 times for the last 15 minutes.




Use Case # 2 - SWITCH MEMORY LIMIT EXCEED ALERT


In this example, NetVisor UNUM generates an alert if memory capacity exceeded 70% at least 10 times in the last week, running at a scheduled interval of one minute. This alert helps monitor for switch memory load.


Settings


Type of Warning

Warning

Alert Name

Memory Load

Index Pattern

all-systemstats*

Index Type

systemstats

Time Field

readTime

Rule Type

Threshold

Keyword Filter

*

Aggregation Filter

Count > 10

Query Filter

usedMem Must be > 70

Time Window

1 Week

Schedule

Checked

Frequency

Select your run frequency starting from the next minute based on your system clock.

Alert Action

Checked - Please refer to the menu configuration settings in the Alerts section for more information.


Result: Alert for "Memory Load" with a threshold set to greater than 70% generated when it hit more than 10 times for the last 1 week scheduled to check every 1 min.




Use Case # 3 - LINK DOWN ALERT


In this example, NetVisor UNUM generates a Link Down Alert when a specific port goes down more than 5 times, scheduled to check every single minute daily. This alert triggers whenever a port flaps due to software or hardware issues.


Settings


Type of Warning

Critical

Alert Name

Link Down

Index Pattern

all-syslog*

Index Type

syslog

Time Field

@timestamp

Rule Type

Threshold

Keyword Filter

*

Aggregation Filter

Count > 5

Query Filter

sd.category Must be == event

Query Filter

switchName Must be == (Enter your Switch Name).

Query Filter

id Must be == 11003

Time Window

1 Day

Schedule

Checked

Frequency

Select your run frequency starting from the next minute based on your system clock.

Alert Action

Checked - Please refer to the menu configuration settings in the Alerts section for more information.


Result: Alert for Link Down generated when a specific port or any Port went down more than 5 times for the given schedule.




Use Case # 4 - LINK UP ALERT


In this example, NetVisor UNUM generates a Link UP Alert when a specific port goes up more than 5 times, scheduled to check every minute daily. This alert triggers whenever a port flaps due to software or hardware issues.


Settings


Type of Warning

Critical

Alert Name

Link Up

Index Pattern

all-syslog*

Index Type

syslog

Time Field

@timestamp

Rule Type

Threshold

Keyword Filter

*

Aggregation Filter

Count > 5

Query Filter

sd.category Must be == event

Query Filter

switchName Must be == (Enter your Switch Name).

Query Filter

id Must be == 11002

Time Window

1 Day

Schedule

Checked

Frequency

Select your run frequency starting from the next minute based on your system clock.

Alert Action

Checked - Please refer to the menu configuration settings in the Alerts section for more information.


Result: Alert for Link Up generated when a specific port or any Port went up more than 5 times for the given schedule.




Use Case # 5 - MULTIPLE LOGIN FAILURE ALERT


In this example, NetVisor UNUM generates a Login Failed Alert when a specific unauthorized user attempts to login more than 5 times, and the user failed to login. Scheduled to check every minute this alert triggers immediately as long as the unauthorized user continues to attempt a login to the device.


Settings


Type of Warning

Critical

Alert Name

Login Failure

Index Pattern

all-syslog*

Index Type

syslog

Time Field

@timestamp

Rule Type

Threshold

Keyword Filter

*

Aggregation Filter

Count > 5

Query Filter

sd.category Must be == audit

Query Filter

switchName Must be == (Enter your Switch Name).

Query Filter

id Must be == 11103

Time Window

1 Day

Schedule

Checked

Frequency

Select your run frequency starting from the next minute based on your system clock.

Alert Action

Checked - Please refer to the menu configuration settings in the Alerts section for more information.




Use Case # 6 - FABRIC Node State CHANGE ALERT


In this example, NetVisor UNUM generates a Fabric Node State Change Alert when specific node state changes occur, scheduled to check every minute. This alert triggers whenever a switch goes down or problems exist with the NetVisor OS OS on a particular switch due to software or hardware issues if it happens more than 5 times daily.


Settings


Type of Warning

Critical

Alert Name

Fabric  Node State Change

Index Pattern

all-syslog*

Index Type

syslog

Time Field

@timestamp

Rule Type

Threshold

Keyword Filter

*

Aggregation Filter

Count > 5

Query Filter

switchName Must be == (Enter your Switch Name).

Query Filter

sd.category Must be == system

Query Filter

id Must be == 11403

Time Window

1 Day

Schedule

Checked

Frequency

Select your run frequency starting from the next minute based on your system clock.

Alert Action

Checked - Please refer to the menu configuration settings in the Alerts section for more information.


Result: Alert for Fabric Node Change Alert generated when specific Node state changes for more than 5 times scheduled to check every single minute. 




Use Case # 7 - Excessive Packet Drops Alert


In this example, NetVisor UNUM generates an Excessive Drop Alert when there are excessive packet drops measured in iDiscards/oDiscards, scheduled to check every minute daily. This alert triggers when a physical port is not functioning correctly or a specific software queue or the CPU is dropping packets.


Settings


Type of Warning

Critical

Alert Name

Excessive Packet Drop

Index Pattern

*.ports*

Index Type

portstats

Time Field

readTime

Rule Type

Threshold

Keyword Filter

*

Aggregation Filter

Count > 0

Query Filter

diffInput.discards Must be > 50

Time Window

15 Minutes

Schedule

Checked

Frequency

Select your run frequency starting from the next minute based on your system clock.

Alert Action

Checked - Please refer to the menu configuration settings in the Alerts section for more information.


Result: Alert for Excessive Packet Drop generated when packets dropped observed in terms of iDiscard/oDiscards for specific threshold configured and scheduled to check every single minute.




Use Case # 8 - PORT SCANNING / SYN ATTACK / SYN FLOOD ALERT


In this example, NetVisor UNUM generates a Port Scanning Alert when there are 50 sync connections within 15 minutes, scheduled to check every minute daily. 


Settings


Type of Warning

Critical

Alert Name

Possible Port Scan

Index Pattern

all-connections*

Index Type

connection

Time Field

startedTime

Rule Type

Threshold

Keyword Filter

*

Aggregation Filter

Count > 50

Query Filter

curState Must be == SYN

GROUP BY 

Checked

Select Fields

srcIp

ORDER

Descending

Number of Documents

5

Time Window

15 Minutes

Schedule

Checked

Frequency

Select your run frequency starting from the next minute based on your system clock.

Alert Action

Checked - Please refer to the menu configuration settings in the Alerts section for more information.


Result: Alert for Port Scan/Syn Attach generated when there are continuous SYN messages for more than 15 minutes, and scheduled to check every minute.




Use Case # 9 - MAC MOVE EXCEEDED ALERT


In this example, NetVisor UNUM generates a MAC Move Exceeded Alert when there are more than 10 moves in a day, scheduled to check every minute daily. When a MAC address appears in a different physical interface or within a different unit of the same physical interface, and if this behavior occurs frequently, it is considered a MAC move. Configuration errors in the Layer 2 network can force traffic into never-ending circular paths.


Settings


Type of Warning

Critical

Alert Name

MAC Move Exceed Alert

Index Pattern

all-syslog*

Index Type

syslog

Time Field

@timestamp

Rule Type

Threshold

Keyword Filter

*

Aggregation Filter

Count > 10

Query Filter

sd.category Must be == system

Query Filter

Select either your Fabric Name or your Switch Name

Query Filter

id Must be == 11329

Time Window

1 Day

Schedule

Checked

Frequency

Select your run frequency starting from the next minute based on your system clock.

Alert Action

Checked - Please refer to the menu configuration settings in the Alerts section for more information.


Result: Alert for MAC Move Exceeded generated when there are continuous MAC MOVE messages in Syslog more than 10 and scheduled to check every single minute.




Use Case # 10 - Port Utilization


In this example, NetVisor UNUM generates a Port Utilization Alert when port usage exceeds 80% more than 20 times in 15 minutes.


Type of Warning

Warning

Alert Name

Port Utilization Alert

Index Pattern

.portstats-v*

Index Type

portstats

Time Field

readtime

Rule Type

Threshold

Keyword Filter

*

Aggregation Filter

Count > 20

Query Filter

diffinput.utilization

Query Filter

Must be

Query Filter

> 80

Time Window

Last 15 Minutes

Schedule

Checked

Frequency

Select your run frequency starting from the next minute based on your system clock.

Alert Action

Checked - Please refer to the menu configuration settings in the Alerts section for more information.


Result: Alert for Port Utilization gets generated when there is a match based on the above criteria, scheduled to check every single minute.




Use Case # 11 - Port Errors


In this example, NetVisor UNUM generates a Port Errors Alert when port errors exceed 50 in 15 minutes.


Type of Warning

Warning

Alert Name

Port Errors

Index Pattern

.port*

Index Type

portstats

Time Field

readtime

Rule Type

Threshold

Keyword Filter

*

Aggregation Filter

Count > 0

Query Filter

diffinput.errors

Query Filter

Must be

Query Filter

> 50

Time Window

Last 15 Minutes

Schedule

Checked

Frequency

Select your run frequency starting from the next minute based on your system clock.

Alert Action

Checked - Please refer to the menu configuration settings in the Alerts section for more information.


Result: Alert for Port Errors gets generated when there is a match based on the above criteria, scheduled to check every single minute.




Use Case # 12 - Port Congestion Drops


In this example, NetVisor UNUM generates a Port Congestion Drops Alert when port congestion exceeds 50 more than 5 times in 15 minutes.


Type of Warning

Warning

Alert Name

Port Errors

Index Pattern

*.port*

Index Type

portstats

Time Field

readtime

Rule Type

Threshold

Keyword Filter

*

Aggregation Filter

Count > 5

Query Filter

diffinput.congestionDropPkts

Query Filter

Must be

Query Filter

> 50

Time Window

Last 15 Minutes

Schedule

Checked

Frequency

Select your run frequency starting from the next minute based on your system clock.

Alert Action

Checked - Please refer to the menu configuration settings in the Alerts section for more information.


Result: Alert for Port Congestion Drops gets generated when there is a match based on the above criteria, scheduled to check every single minute.




north
    keyboard_arrow_up
    keyboard_arrow_down
    description
    print
    feedback
    support
    business
    rss_feed
    south