Reporting Alert alertInterval
Designed a SMTP reporting alert to send an email whenever a specific log message was ingested.
The rule basically said msg.id = '%C4K_CHASSIS-3-MUXBUFFERREADSUPERVISORSELECTIONFAILED'. Which indicates that a 48 port card was down. The network team would get an email and get to work on it.
When setting up the alert, there were 2 options "execute once" or "execute each event". Execute once was selected in the alert, but this is a little misleading. The alerts were being logged about every second, and it didn't send that many emails; however we were receiving an email every minute.
Fortunately this was a simple fix, by editing the "AlertInterval" located under the 'reporting engine>explore> com.rsa.soc.re>alertConfiguration'; from 1 to 10 we now receive emails only every 10 minutes.
Happy Hunting, hope this saves you some digging.
- alert rules
- Community Thread
- Forum Thread
- report engine
- RSA NetWitness
- RSA NetWitness Platform
Please realize that by changing the AlertInterval you are causing the Alert scheduler to only run once per interval for all scheduled alerts, in this case once every 10 minutes, instead of the default once every 1 minute. As mentioned above there are two types of alert notification execution: Each Event and Once. Here is what each actually means.
When the alert scheduler runs the rule for the alert it runs the alert rule query against the infrastructure. On query completion results are returned or none are returned. If some were returned, lets say 3 results came back that matched the rule, you would receive three notifications of that type for this interval. So if it was SMTP you would receive three separate emails from the alert and each would represent one of the three results returned. You can imagine how bad this can get if you return thousands of results. Though sometimes this is wanted when using Syslog or SNMP.
If the Execute drop down is set to Once then only one alert notification will be sent per alert schedule interval no matter how many results were returned. Of course if no results were returned from the alert, no notification will be sent. This is designed to let you know something happened but not be flooded with alerts as you can use the templating system to tell you in the alert notification how many actual alert results came back in a single notification.
In summary, only change this AlertInterval if you are fully prepared for the consequences. Otherwise you may want to look closer at what you are alerting on and how you are getting notifications. As of now there is no alert suppression in the reporting engine for these normal alerts. There is alert suppression for alerts coming from the ESA however. If you have an ESA you can covert your normal Reporting Engine alerts into ESA alerts to provide the suppression you may be looking for.
I hope this provides more clarity around the AlertInterval and the two options for notification execution.
Thanks for the reply and additional information, much appreciated. We do have an ESA, but was thinking that since there was no correlation involved that I didn't want to use those resources.
Do you happen to know the steps to allows me to create reports on the IMDB in 10.6.2?
It should be about the same as writing reports for the NWDB but selecting the IMDB as the source when creating the rule. Here is the documentation about the IMDB rule syntax. https://community.rsa.com/docs/DOC-74656