Configuring Event Source Group Alerts

Each event source group can have its own alerting policy. This includes setting the thresholds for when to alert, and setting the notification type when an alert is triggered. This topic describes the steps involved in creating an alert policy for an event source group.

Create an Alert Policy for an Event Source Group

  1. Go to netwitness_adminicon_25x22.png (Admin) > Event Sources.
  2. Select the Monitoring Policies tab.
  3. In the Event Groups panel, select a group.
  4. Enter values for the Low Threshold and High Threshold fields.

    This is an example of alert thresholds.

    netwitness_esmthresh.png

  5. Select Enable and click Save to enable the alert policy that you have configured.

Note: If you make changes to a policy, and attempt to exit the page before you save your changes, an Unsaved Changes warning message is displayed:

netwitness_esm_policychgwrn.png

Set and View the Thresholds for an Alert Policy

Every event source group is also an alert policy. Thresholds are part of an alert policy. You can set thresholds for each alert policy. For each policy, you can set a low threshold, a high threshold, or both. Additionally, you can enable a policy without setting any thresholds; this allows you to receive notifications based on automatic alerts. Automatic alerts are generated when the baseline for an event source is out of normal bounds.

If you configure longer policy duration for low threshold policy, it may result in increased memory (SMS Heap) usage. In order to avoid increased memory usage (For more information, see 'Troubleshooting Health & Wellness' in the System Maintenance Guide), make sure you optimize the policy filter to match the required Event Sources and also NetWitness recommends having a policy duration of < 3 days if 30 low threshold policies match 20K Event Sources. If there are < 10 low threshold policies, you can have < 7 days policy duration with each policy matching unique Event Sources.

  1. Go to netwitness_adminicon_25x22.png (Admin) > Event Sources.
  2. Select the Monitoring Policies tab.
  3. In the Event Groups panel, select a group.
    Any thresholds set for the selected group are displayed in the Thresholds panel.

    netwitness_esmthresh_2140x376.png

  4. Edit the values in either the Low or High Threshold as follows:

    1. Enter the number of events for the threshold.
    2. Enter the number of minutes or hours for the threshold. The minimum value is 5 minutes.
  5. Select Enable to enable alarms when thresholds are not met.

    Note: If you configure a threshold and attempt to save the page without enabling it, you receive a confirmation message, asking you whether or not to enable the policy: ddd
    netwitness_esm_policy_conf.png

For example, suppose you enter 10 and 30 for the values for the low threshold: 10 events in 30 minutes, and 20 and 30 for the values for the high threshold: 20 events in 30 minutes. This means that you expect between 10 to 20 events are logged in 30 minutes (for the selected event source group). That is, anything between the low and high threshold is considered normal, and does not trigger an alarm.

After you add a threshold for a policy, you cannot delete it. You can disable the policy, or set the low or high threshold to 0 events in 5 minutes. Five minutes is the minimum duration for a threshold.