4 Replies Latest reply on Aug 18, 2017 8:42 AM by shankar.g

    Feed health monitoring in Nitro

    jhonny

      Hello all,

       

      maybe somebody is already using custom Nitro feed health monitoring alerts/correlations, to automatically generate alert or case due to one of the existing data feeds inactivity? Lets say if Nitro receiver doest receive any data in 10-15mins auto generate an alert for analyst for futher troubleshooting reasons or required escalations?

       

      Would appreciate any ideas/comments.

       

      Thanks,

      J.

        • 1. Re: Feed health monitoring in Nitro
          protah

          Hey J,

           

          So to first answer your question about ERC events received within a specific time-frame can be setup in the Inactivity Threshold feature.

          But to sort of resolve any other questions you have regarding health status alarms, See the below list for the native Health Status Signature IDs to create alarms from. Let me know if you have any questions.

           

          R/

          Jacob D

           

          Rule nameSignature ID
          A RAID error has occurred306-50054
          Advanced Syslog Parser collector state change alert306-50029
          APM distiller process306-50066
          Archive process state change alert306-50051
          Blue Martini parser alert306-50071
          Bypass NIC state alert306-50001
          Communication channel state change alert306-50013
          Data partitions free disk space alert306-50005
          Database detection services state alert306-50036
          Deep packet inspector state change alert306-50008
          Disk drive failure alert306-50018
          ELM archive process state change alert306-50045
          ELM file process306-50065
          ELM FTI alert306-50064
          ELM mount point state change alert306-50053
          ELM query engine state change alert306-50046
          ELM redundant storage306-50063
          ELM system database error306-50044
          Email collector state change alert306-50040
          Error communicating with ELM306-50047
          eStreamer Collector alert306-50070
          eStreamer Collector state change alert306-50041
          Failed to format SAN device306-50057
          File collector state change alert306-50049
          Filter process state change alert306-50050
          Firewall alert aggregator state change alert306-50009
          Health monitor internal alert306-50027
          HTTP collector state change alert306-50039
          IPFIX collector state change alert306-50055
          Log partitions free disk space alert306-50004
          McAfee EDB database server state change alert306-50010
          McAfee ePolicy Orchestrator Collector alert306-50069
          McAfee Event Format state change alert306-50031
          Microsoft Forefront Threat Management Gateway alert306-50068
          MS-SQL retriever state change alert306-50035
          Multi-event log alert306-50062
          NetFlow collector state change alert306-50024
          NFS/CIFS collector state change alert306-50048
          NitroFlow collector state change alert306-50026
          OPSEC retriever state change alert306-50028
          OPSEC retriever state change alert306-50034
          Oracle IDM Collector alert306-50072
          Oversubscription alert306-50012
          Plug-in Collector/Parser alert306-50073
          Receiver HA306-50058
          Receiver HA Opsec Configuration306-50059
          Remote NFS mount point state change alert306-50020
          Remote share/mount point free disk space alert306-50021
          Remote SMB/CIFS share state change alert306-50019
          Risk Correlation state change alert306-50061
          Root partitions free disk space alert307-50002
          SDEE retriever state change alert306-50033
          sFlow collector state change alert306-50025
          SNMP collector state change alert306-50023
          SQL collector state change alert306-50038
          Symantec AV collector state change alert306-50056
          Syslog Collector state change alert306-50037
          System logger state change alert306-50014
          Temporary partitions free disk space alert306-50003
          Text log parser state change alert306-50052
          VA Data Engine status alert306-50043
          Websense Collector alert306-50067
          WMI Event Log collector state change alert306-50030
          • 2. Re: Feed health monitoring in Nitro
            colibri

            So that would be Inactivity signature as there are many signatures related to health status ?

             

            Thank you.

             

            Anthony

            • 3. Re: Feed health monitoring in Nitro
              rth67

              You can also try setting up Alarms using the "Deviation from Baseline" - we monitor the Receivers, ACE, and APM as a whole, and then a few specific high profile devices individually.

              Query on Total Events, Last "X" (Minutes / Hours)

              Specify % Above and % Below

              Finally how often to Check - "X" Hours and "Y" Minutes

              • 4. Re: Feed health monitoring in Nitro
                shankar.g

                Hi Jacob,

                 

                would you please help me out how to create device health status dash board and how to create health status alarms with the signatures ID's which you shared

                 

                Regards

                S.G