API tools faq
paste
Advertisement
Guest User

kkrumm NMS Alert Rules

a guest
Sep 5th, 2017
4,654
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 11.56 KB | None | 0 0
raw download clone embed print report
  1. Rule name: CAUTION Device has been rebooted
  2. Alert rule: %devices.uptime < "300" && %macros.device = "1"
  3. Alert query: SELECT * FROM devices WHERE (devices.device_id = ?) && (devices.uptime < "300" && ((devices.disabled = 0 && devices.ignore = 0)) = "1" )
  4. Rule match: no match
  5.  
  6. Rule name: WARNING Network Port utilization over 75%
  7. Alert rule: %macros.port_up = "1" && %macros.port = "1" && %macros.port_usage_perc >= "75"
  8. Alert query: SELECT * FROM ports WHERE (ports.device_id = ?) && (((ports.ifOperStatus = "up" && ports.ifAdminStatus = "up" && ((ports.deleted = 0 && ports.ignore = 0 && ports.disabled = 0)))) = "1" && ((ports.deleted = 0 && ports.ignore = 0 && ports.disabled = 0)) = "1" && (((ports.ifInOctets_rate*8) / ports.ifSpeed)*100) >= "75" )
  9. Rule match: no match
  10.  
  11. Rule name: CAUTION Sensor over limit - Check Device
  12. Alert rule: %sensors.sensor_current > %sensors.sensor_limit && %sensors.sensor_alert = "1" && %macros.device_up = "1"
  13. Alert query: SELECT * FROM sensors,devices WHERE (( devices.device_id = sensors.device_id ) && sensors.device_id = ?) && (sensors.sensor_current > sensors.sensor_limit && sensors.sensor_alert = "1" && ((devices.status = 1 && ((devices.disabled = 0 && devices.ignore = 0)))) = "1" )
  14. Rule match: no match
  15.  
  16. Rule name: CAUTION Sensor under limit - Check Device
  17. Alert rule: %sensors.sensor_current < %sensors.sensor_limit_low && %sensors.sensor_alert = "1" && %macros.device_up = "1"
  18. Alert query: SELECT * FROM sensors,devices WHERE (( devices.device_id = sensors.device_id ) && sensors.device_id = ?) && (sensors.sensor_current < sensors.sensor_limit_low && sensors.sensor_alert = "1" && ((devices.status = 1 && ((devices.disabled = 0 && devices.ignore = 0)))) = "1" )
  19. Rule match: no match
  20.  
  21. Rule name: Service not responding Ping/HTTP/DNS/NTP
  22. Alert rule: %services.service_status != "0"
  23. Alert query: SELECT * FROM services WHERE (services.device_id = ?) && (services.service_status != "0" )
  24. Rule match: no match
  25.  
  26. Rule name: CRITICAL Processors usage over 80% last 5m
  27. Alert rule: %macros.past_5m = %processors.processor_usage >= "80"
  28. Alert query: SELECT * FROM processors WHERE (processors.device_id = ?) && ((DATE_SUB(NOW(),INTERVAL 5 MINUTE)) = processors.processor_usage >= "80" )
  29. Rule match: no match
  30.  
  31. Rule name: Poller is taking too long
  32. Alert rule: %pollers.time_taken >= "250"
  33. Alert query:
  34. Rule match: no match
  35.  
  36. Rule name: WARNING Storage at Warning Level
  37. Alert rule: %storage.storage_descr !~ "/boot" && %storage.storage_perc > %storage.storage_perc_warn
  38. Alert query: SELECT * FROM storage WHERE (storage.device_id = ?) && (storage.storage_descr NOT REGEXP "/boot" && storage.storage_perc > storage.storage_perc_warn )
  39. Rule match: no match
  40.  
  41. Rule name: CAUTION Syslog, authentication failure on Device
  42. Alert rule: %syslog.timestamp > = %macros.past_5m && %syslog.msg ~ "@authentication failure@"
  43. Alert query: SELECT * FROM syslog WHERE (syslog.device_id = ?) && (syslog.timestamp > = (DATE_SUB(NOW(),INTERVAL 5 MINUTE)) && syslog.msg REGEXP ".*authentication failure.*" )
  44. Rule match: no match
  45.  
  46. Rule name: WARNING Device Memory High Usage
  47. Alert rule: %mempools.mempool_descr = "Virtual memory" && %mempools.mempool_perc >= "70"
  48. Alert query: SELECT * FROM mempools WHERE (mempools.device_id = ?) && (mempools.mempool_descr = "Virtual memory" && mempools.mempool_perc >= "70" )
  49. Rule match: no match
  50.  
  51. Rule name: CAUTION Login failure on network device
  52. Alert rule: %syslog.timestamp >= %macros.past_5m && %syslog.msg ~ "@Invalid user name/password@"
  53. Alert query: SELECT * FROM syslog WHERE (syslog.device_id = ?) && (syslog.timestamp >= (DATE_SUB(NOW(),INTERVAL 5 MINUTE)) && syslog.msg REGEXP ".*Invalid user name/password.*" )
  54. Rule match: no match
  55.  
  56. Rule name: WARNING Device has High Packet Loss
  57. Alert rule: %macros.packet_loss_5m >= "10"
  58. Alert query: SELECT * FROM device_perf WHERE (device_perf.device_id = ?) && ((((DATE_SUB(NOW(),INTERVAL 5 MINUTE)) && device_perf.loss)) >= "10" )
  59. Rule match: no match
  60.  
  61. Rule name: WARNING Device High Network Latency
  62. Alert rule: %macros.icmp_response >= "90"
  63. Alert query: SELECT * FROM device_perf WHERE (device_perf.device_id = ?) && ((((DATE_SUB(NOW(),INTERVAL 5 MINUTE)) && device_perf.avg)) >= "90" )
  64. Rule match: no match
  65.  
  66. Rule name: WARNING Device Memory High Usage 2
  67. Alert rule: %mempools.mempool_descr ~ "Global Memory 1" || %mempools.mempool_descr ~ "Local Memory 1" && %mempools. >= "80"
  68. Alert query: SELECT * FROM mempools WHERE (mempools.device_id = ?) && (mempools.mempool_descr REGEXP "Global Memory 1" || mempools.mempool_descr REGEXP "Local Memory 1" && mempools. >= "80" )
  69. Rule match: no match
  70.  
  71. Rule name: CAUTION Syslog Received Alert Message
  72. Alert rule: %syslog.timestamp >= %macros.past_5m && %syslog.priority ~ "alert"
  73. Alert query: SELECT * FROM syslog WHERE (syslog.device_id = ?) && (syslog.timestamp >= (DATE_SUB(NOW(),INTERVAL 5 MINUTE)) && syslog.priority REGEXP "alert" )
  74. Rule match: no match
  75.  
  76. Rule name: CRITICAL Device Down Alert
  77. Alert rule: %macros.device_down = "1" && %devices.status_reason = "icmp"
  78. Alert query: SELECT * FROM devices WHERE (devices.device_id = ?) && (((devices.status = 0 && ((devices.disabled = 0 && devices.ignore = 0)))) = "1" && devices.status_reason = "icmp" )
  79. Rule match: no match
  80.  
  81. Rule name: CAUTION Syslog Received Emergency Priority Msg
  82. Alert rule: %syslog.timestamp >= %macros.past_5m && %syslog.priority ~ "emerg" || %syslog.priority ~ "emergency"
  83. Alert query: SELECT * FROM syslog WHERE (syslog.device_id = ?) && (syslog.timestamp >= (DATE_SUB(NOW(),INTERVAL 5 MINUTE)) && syslog.priority REGEXP "emerg" || syslog.priority REGEXP "emergency" )
  84. Rule match: no match
  85.  
  86. Rule name: Device discovered within the last 60 minutes
  87. Alert rule: %eventlog.type = "discovery" && %eventlog.message ~ "@autodiscovered@" && %eventlog.datetime >= %macros.past_60m
  88. Alert query: SELECT * FROM eventlog WHERE (eventlog.device_id = ?) && (eventlog.type = "discovery" && eventlog.message REGEXP ".*autodiscovered.*" && eventlog.datetime >= (DATE_SUB(NOW(),INTERVAL 60 MINUTE)) )
  89. Rule match: no match
  90.  
  91. Rule name: A Duplicate IP address detected
  92. Alert rule: %syslog.timestamp >= %macros.past_5m && %syslog.msg ~ "@Duplicate@ "
  93. Alert query: SELECT * FROM syslog WHERE (syslog.device_id = ?) && (syslog.timestamp >= (DATE_SUB(NOW(),INTERVAL 5 MINUTE)) && syslog.msg REGEXP ".*Duplicate.* " )
  94. Rule match: no match
  95.  
  96. Rule name: A duplicate MAC address is detected
  97. Alert rule: %syslog.timestamp >= %macros.past_5m && %syslog.msg ~ "@is flapping between port@"
  98. Alert query: SELECT * FROM syslog WHERE (syslog.device_id = ?) && (syslog.timestamp >= (DATE_SUB(NOW(),INTERVAL 5 MINUTE)) && syslog.msg REGEXP ".*is flapping between port.*" )
  99. Rule match: no match
  100.  
  101. Rule name: Port with Duplex mismatch
  102. Alert rule: %syslog.timestamp >= %%macros.past_5m && %syslog.msg ~ "@duplex mismatch@"
  103. Alert query: SELECT * FROM syslog WHERE (syslog.device_id = ?) && (syslog.timestamp >= (DATE_SUB(NOW(),INTERVAL 5 MINUTE)) && syslog.msg REGEXP ".*duplex mismatch.*" )
  104. Rule match: no match
  105.  
  106. Rule name: Interface has Possible Duplex Mismatch/or Line Issues
  107. Alert rule: %syslog.msg ~ "@Excessive CRC@" && %syslog.timestamp >= %macros.past_5m
  108. Alert query: SELECT * FROM syslog WHERE (syslog.device_id = ?) && (syslog.msg REGEXP ".*Excessive CRC.*" && syslog.timestamp >= (DATE_SUB(NOW(),INTERVAL 5 MINUTE)) )
  109. Rule match: no match
  110.  
  111. Rule name: WARNING UPS Battery Needs Replacement
  112. Alert rule: %sensors.sensor_type ~ "upsAdvBatteryReplaceIndicator" && %sensors.sensor_current = "2"
  113. Alert query: SELECT * FROM sensors WHERE (sensors.device_id = ?) && (sensors.sensor_type REGEXP "upsAdvBatteryReplaceIndicator" && sensors.sensor_current = "2" )
  114. Rule match: no match
  115.  
  116. Rule name: WARNING UPS Switched to Battery
  117. Alert rule: %sensors.sensor_current = "3" && %sensors.sensor_type = "upsBasicOutputStatus"
  118. Alert query: SELECT * FROM sensors WHERE (sensors.device_id = ?) && (sensors.sensor_current = "3" && sensors.sensor_type = "upsBasicOutputStatus" )
  119. Rule match: no match
  120.  
  121. Rule name: WARNING UPS Hardware Failure Bypass
  122. Alert rule: %sensors.sensor_current = "10" && %sensors.sensor_type = "upsBasicOutputStatus"
  123. Alert query: SELECT * FROM sensors WHERE (sensors.device_id = ?) && (sensors.sensor_current = "10" && sensors.sensor_type = "upsBasicOutputStatus" )
  124. Rule match: no match
  125.  
  126. Rule name: WARNING UPS Emergency Static Bypass
  127. Alert rule: %sensors.sensor_current = "16" && %sensors.sensor_type = "upsBasicOutputStatus"
  128. Alert query: SELECT * FROM sensors WHERE (sensors.device_id = ?) && (sensors.sensor_current = "16" && sensors.sensor_type = "upsBasicOutputStatus" )
  129. Rule match: no match
  130.  
  131. Rule name: WARNING Bad PSU #1
  132. Alert rule: %sensors.sensor_oid = ".1.3.6.1.4.1.11.2.14.11.1.2.6.1.4.2" && %sensors.sensor_current = "2"
  133. Alert query: SELECT * FROM sensors WHERE (sensors.device_id = ?) && (sensors.sensor_oid = ".1.3.6.1.4.1.11.2.14.11.1.2.6.1.4.2" && sensors.sensor_current = "2" )
  134. Rule match: no match
  135.  
  136. Rule name: CRITICAL Faulty Fan detected
  137. Alert rule: %sensors.sensor_oid = ".1.3.6.1.4.1.11.2.14.11.1.2.6.1.4.1" && %sensors.sensor_current = "2"
  138. Alert query: SELECT * FROM sensors WHERE (sensors.device_id = ?) && (sensors.sensor_oid = ".1.3.6.1.4.1.11.2.14.11.1.2.6.1.4.1" && sensors.sensor_current = "2" )
  139. Rule match: no match
  140.  
  141. Rule name: CRITICAL Bad PSU #3
  142. Alert rule: %sensors.sensor_oid = " .1.3.6.1.4.1.11.2.14.11.1.2.6.1.4.4" && %sensors.sensor_current = "2"
  143. Alert query: SELECT * FROM sensors WHERE (sensors.device_id = ?) && (sensors.sensor_oid = " .1.3.6.1.4.1.11.2.14.11.1.2.6.1.4.4" && sensors.sensor_current = "2" )
  144. Rule match: no match
  145.  
  146. Rule name: CRITICAL Bad PSU #4
  147. Alert rule: %sensors.sensor_oid = ".1.3.6.1.4.1.11.2.14.11.1.2.6.1.4.5" && %sensors.sensor_current = "2"
  148. Alert query: SELECT * FROM sensors WHERE (sensors.device_id = ?) && (sensors.sensor_oid = ".1.3.6.1.4.1.11.2.14.11.1.2.6.1.4.5" && sensors.sensor_current = "2" )
  149. Rule match: no match
  150.  
  151. Rule name: CRITICAL Bad PSU #2
  152. Alert rule: %sensors.sensor_oid = ".1.3.6.1.4.1.11.2.14.11.1.2.6.1.4.3" && %sensors.sensor_current = "2"
  153. Alert query: SELECT * FROM sensors WHERE (sensors.device_id = ?) && (sensors.sensor_oid = ".1.3.6.1.4.1.11.2.14.11.1.2.6.1.4.3" && sensors.sensor_current = "2" )
  154. Rule match: no match
  155.  
  156. Rule name: CAUTION UPS on Smart Trim
  157. Alert rule: %sensors.sensor_current = "12" && %sensors.sensor_type = "upsBasicOutputStatus"
  158. Alert query: SELECT * FROM sensors WHERE (sensors.device_id = ?) && (sensors.sensor_current = "12" && sensors.sensor_type = "upsBasicOutputStatus" )
  159. Rule match: no match
  160.  
  161. Rule name: WARNING PoE Over Power on Switch
  162. Alert rule: %syslog.msg ~ "@PoE usage has exceeded threshold of 80@" && %syslog.timestamp = %macros.past_5m
  163. Alert query: SELECT * FROM syslog WHERE (syslog.device_id = ?) && (syslog.msg REGEXP ".*PoE usage has exceeded threshold of 80.*" && syslog.timestamp = (DATE_SUB(NOW(),INTERVAL 5 MINUTE)) )
  164. Rule match: no match
  165.  
  166. Rule name: CAUTION Check Switch for ARP Protect config
  167. Alert rule: %syslog.msg = "@arp-protect@" && %syslog.timestamp = %macros.past_5m
  168. Alert query: SELECT * FROM syslog WHERE (syslog.device_id = ?) && (syslog.msg = ".*arp-protect.*" && syslog.timestamp = (DATE_SUB(NOW(),INTERVAL 5 MINUTE)) )
  169. Rule match: no match
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!