This topic provides an overview of the alert notifications ESA supports.
When a rule triggers an alert, ESA can send a notification in the following ways:
To configure a notification, you configure these components:
- Notification server – After you configure a notification server, you can add it to a rule. When the rule triggers an alert, the rule will use that server to send alert notifications.
- Notifications – These are the outputs, which can be email, script, SNMP, and Syslog. When you design a rule, you can specify the notification for an alert.
- Templates – The format of an alert notification is defined in a template.
Alert suppression and alert rate regulation are two features that Event Stream Analysis provides. Alert suppression ensures that multiple emails are not sent out for the same alert. For example, consider a rule to detect failed user logins. If you set the alert suppression to three minutes, you will see only the alerts generated in that time frame. This is fewer than the number of alerts you would see without alert suppression. Some alerts can be duplicates. With alert suppression, emails are not sent for duplicate alerts. This ensures the inbox is not flooded with redundant alert notifications.
Alert rate regulation is a preventive measure to ensure that alerts from misconstrued rules do not flood the system. This ensures that ESA does not send more than the configured limit of emails within one minute.
Notification servers, notifications, and templates are configured in the Administration System view. For more information, see Configure Notification Servers, Configure Notification Outputs, and Configure Templates for Notifications.
Event Stream Analysis can send notifications to users through email about various system events.
To configure these email notifications, you need to:
- Configure the SMTP email server as an output provider. For instructions, see Configure the Email Settings as Notification Server.
- Set up an email account to receive notifications. For instructions, see Configure Email as a Notification.
- Configure a template for email notification. For instructions, see Configure a Template.
Event Stream Analysis can send events as an SNMP trap to a configured SNMP trap host.
To configure these SNMP notifications, you need to:
- Configure SNMP trap host settings as an output provider. For instructions, see Configure the SNMP Settings as Notification Server.
- Configure SNMP trap settings as an output action. For instructions, see Configure SNMP as a Notification.
- Configure a template for SNMP. For instructions, see Configure a Template.
Event Stream Analysis can send events and consolidate logs in Syslog format to a Syslog server.
To configure these Syslog notifications, you need to:
- Configure Syslog server settings as an output provider. For instructions, see Configure the Syslog Settings as Notification Server.
- Configure Syslog message format as an output action. For instructions, see Configure Syslog as a Notification.
- Configure a template for Syslog. For instructions, see Configure a Template.
Apart from the alert notifications ESA allows users to run scripts in response to ESA alerts.
Scripts enable you to do custom integration with applications that exist in your environment. For example, if you want to open an incident ticket from an application when a specific alert is triggered, Script Alerter lets you write a script that calls the application API and have ESA invoke it when the specific ESA rule is triggered. You can configure a FreeMarker template to define what details you want to extract from the output of the ESA rule and pass it as command line arguments to the script.
To use the Script Alert, you need to:
- Configure the user identity and other details that are required to execute the script. For instructions, see Configure Script as a Notification Server.
- Define the Script. For instructions, see Configure Script as a Notification.
- Configure a template for the script. For instructions, see Configure a Template.