Sys Maintenance: Monitor Health and Wellness Using SNMP Alerts

Document created by RSA Information Design and Development on Nov 23, 2016Last modified by RSA Information Design and Development on Aug 2, 2017
Version 10Show Document
  • View in full screen mode
  

You can monitor a Security Analytics component to proactively alert using Simple Network Management Protocol (SNMP) based on the thresholds or system failures.

You can monitor the following for Security Analytics components: 

  • CPU utilization that reaches a defined threshold.
  • Memory utilization that reaches a defined threshold.
  • Disk utilization that reaches a defined threshold.

SNMP Configuration

The Security Analytics hosts can be configured to send out SNMPv3 Threshold Traps and Monitor Traps. Threshold traps are sent in conjunction with configured node thresholds by the Security Analytics Core applications themselves. Monitor traps are sent by the SNMP daemon itself for the items indicated in its configuration file.The customer must set up the SNMP daemon on another service to receive SNMP traps from Security Analytics. You can set up SNMP on Security Analytics in the configuration setting for the Security Analytics host. For more information, see Service Configuration Settings in the RSA Security Analytics Host and Services Getting Started Guide for the specific host.

Thresholds

Thresholds can be set on any service statistics that can accept the setLimit message. You can retrieve the current thresholds using the getLimit message. To set a limit, you can pass a low and high threshold value.

When the value of the stat crosses either the low or high threshold, a SNMP trap is triggered indicating the threshold is crossed. The trap will not be triggered if the value is below the low and above the high value, but another trap is triggered if it crosses back into the normal range (above the low and below the high).

You must set the threshold for the service using the Service Explorer view or the REST API.

Following is a sample threshold for monitoring CPU usage (below 10% or above 90%):

/sys/stats/cpu setLimit low=10 high=90

Following is an example of how the threshold is set using REST API:

http://<log decoder>:50102/sys/stats/cpu?msg=setLimit&low=10&high=90

If the CPU usage spikes to 90% or higher, a SNMP trap will be generated:

23435333 2013-Dec-16 11:08:35 Threshold warning path=/sys/stats/cpu old=77% new=91

Procedures

Configure SNMPv3 for a Host

  1. In the Security Analytics menu, select Administration > Services.
    The Services view is displayed.
  2. Select the service.
  3. In the Actions column, select View > Explore.
  4. In the nodes list, expand the list and select a config folder. For example, log > config
  5. Set the SNMPv3 configuration.
    SNMPConfig.PNG

Set the Threshold for a Service

  1. In the Security Analytics menu, select Administration > Services.
    The Services view is displayed.
  2. Select the service.
  3. In the Actions column, select View > Explore.
  4. In the nodes list, expand the list and select a stat folder.
  5. Select a stat, for example, cpu, and right-click.
  6. From the drop-down menu, select Properties.
    The Properties dialog is displayed. The Properties dialog has a drop-down list of available messages for the parameter.
    CPU_stats_setlimit.PNG
  7. Select setLimit.
  8. Specify the low and high values.
You are here
Table of Contents > Monitor Health and Wellness of Security Analytics > Monitor Health and Wellness Using SNMP Alerts

Attachments

    Outcomes