Alert Rules are a feature that allow you to monitor individual aspects of your environment that Alert Logic® typically would not report on. Correctly configuring these alert rules is important. Misconfigured alert rules can lead you to not receive timely information regarding critical host issues or to be spammed heavily with irrelevant information.
Note: The following information only applies to customers with Alert Logic® Cloud Defender™, Alert Logic Log Manager™, and Alert Logic Threat Manager™ products. Alert Logic Professional™ and Essentials™ customers do not have this capability.
Support Escalations vs. Alert Rules
You may encounter an error that results in a member of the Alert Logic Support team reaching out to you. It is the responsibility of Alert Logic to monitor your appliances and ensure that they are always at peak operating capacity. Alert Logic does not monitor anything beyond this proactively, such as protected hosts, log source statuses, and networking. However, alert rules can be set up so that when a protected host or log source goes offline for a certain period of time, you will be notified.
Configuring Alert Rules
Utilize the following Alert Logic Documentation links to set up alert rules for either Log Manager or Threat Manager:
- Log Manager Alert Rules
- Threat Manager Alert Rules
The following details describe recommendations for most successfully configuring alert rules to provide you with critical information you need.
- Ensure that you give your collection alert a purposeful name in the Collection Alert Name field in order to identify exactly what its purpose is when viewing it in the Alert Logic console later.
- When deciding on the Time Before Alert is Triggered value, consider how often this host should be seeing threat or log traffic. For example, if this is a switch that you are configuring the alert rule for, its default logging level may only be to log whenever an interface is brought up or down. Therefore, if this environment is static, then you will not be receiving many log messages from this device. As a result, you would be best served setting the value to something particularly high. However, if this is a web-facing host that is expected to see threat traffic almost constantly, then the lowest value of 15 would probably be best applied here.
- The Time Between Alert Occurrences value is the time before another alert notification is sent. For example, if this value is set to ‘60’, then every hour that the host is either in error or not collecting data, an additional alert email will be sent. This can be killed off completely by checking the Send Alert Once box, which means that the ‘Time Between Alert Occurrences’ value will be ignored and the alert message will only be sent once. This is best used if you are confident that the one alert will be picked up and will not be surrounded by other emails that may hide it. Note that after the host recovers from its previous state, the alert rule will be reset, so you will not have to set up a new alert rule every time it fires.
- Choose whether your Target Type should be an agent or an appliance.
- Choose between four alert rule types with the drop-down titled Collection. For a network IDS alert rule with Agent target type, your four options include: - Collection – Will fire an alert rule if no data is seen within the timeframe specified in the alert rule. This is best used when you want to ensure that data is consistently being seen by a host. - Error Status – Will fire an alert rule if the host encounters an error. This is best practice in most circumstances because, if the host goes into error, collection will also typically cease. - Offline Status – Will alert if the host loses connectivity with the Alert Logic backend. This is best used if the host is at risk of crashing or losing network connectivity. - Assignment – Only fires if the host does not have an assignment policy applied. This is only useful when you want to ensure that your host is reporting to an appliance. However, the host will go into error if that stops, which makes using the Error Status alert type best practice here.
- A network IDS alert rule with Appliance target type includes one additional option: - Too many IP addresses assigned – Can be useful if you have a huge number of hosts reporting to an appliance, as there is an upper limit for the raw number of IPs that can concurrently communicate with it. Use this if the number of individual IPs hitting the appliance are going into the thousands. Note: Log management alert rules do not receive these options.