How Alarms and Notifications Work

The Event Source module in NetWitness displays alarms and sends notifications based on alarms that are triggered.

For alarms, consider the following:

Alarms are of two types: automatic (triggered when baselines are exceeded or not met) and manual (configured using thresholds).

  • Automatic: If you turn on automatic alerts, the system reports alarms for all event sources that go above or below their normal baselines by the required amount. You can specify the over / under percentage on the Settings Tab.
  • Manual: The system sends an alert whenever an event source exceeds the thresholds in the policy for the associated groups.
  • Alarms appear on the UI, in the Alarms Tab.

For notifications, consider the following:

  • To receive manual notifications (through email, SNMP or Syslog):

    • Specify a policy for an event source group.
    • Set a high or low (or both) threshold.
    • Enable the policy.
  • To receive automatic (baseline) notifications:

    • Baseline alerting must be on. This is turned on by default.
    • You must enable notifications from automatic monitoring. See Configuring Automatic Alerting for details.
    • The event source that triggers the alarm must be in a group that has a policy enabled.
  • If you have automatic alerting turned on, and you have configured a policy and threshold for a group:

    • If the event source goes outside its baseline, you see an automatic alert and receive a notification.
    • If the event source goes outside its thresholds, you see a manual alert and receive a notification.
    • If both occur (threshold and baseline exceeded or not met), you receive two alarms (visible on the Alarms tab) and a notification that indicates both alarms. That notification will list the event source that double alarmed twice; one listing indicating it was an automatic alarm.

Large Email Notifications

If you have set up email notifications, keep in mind that the email can grow very large, depending on the number of event sources in the notification.

If the number of event sources in the alarmed state exceeds 10,000, then the email notification contains the details for only the first 10,000 and a total count. This is to ensure that the email is successfully delivered.

The following examples show a low threshold triggered for two event source groups and a high threshold triggered for three event source groups.

netwitness_lowthremailnotif.png

netwitness_highthremailnotif_712x385.png

High and Low Thresholds Both Triggered

Occasionally, both the high and low alarms are triggered for a particular event source group. The easiest way to see when this happens is to read the email header, which clearly states when both thresholds are triggered, as shown in this image:

netwitness_esm_highlowemail_550x286.png

In this example, the header states, "High threshold and Low threshold triggered on ciscopix group." To see the details for the low threshold event sources, you may need to scroll down past hundreds, or even thousands, of the high threshold event sources.