.Pre-installed alert reference vv7.9.0
- Borja Moro Moreno
There is a library of preconfigured alerts that are designed to work with queries built upon common networking data tables. You can activate these alerts to monitor conditions related to web servers, potential threats, Devo platform components, and much more.
Every Devo domain contains a set of these built-in alerts that you can activate and configure as soon your data is being sent to Devo. These alerts are built upon the logging data generated by common network resources like web servers; Windows, Mac, and Unix systems, and even from Devo itself. A simple category-subcategory system for grouping these alerts have been established to make it easier to browse the alerts.
You can work with these alerts by performing the following actions: activate or deactivate them, assign or change the sending policy associated with them and apply filters for post-processing. You can find information about how to perform these actions in the articles below.
Edition and deletion
Although you can work with the pre-installed alerts just as you would with your own alerts, bear in mind that there are a couple of exceptions to this. Editing or deleting a pre-installed alert is not possible.
Go to Administration → Alert Configuration → Available Alerts to view these and all your user-defined alerts.
The Alerts Filter lets you filter the alerts that are displayed in the list by selecting alert category and subcategory. The category for all user-defined alerts is My Alerts - all other categories are used for the predefined alerts.
If you want to know the specific conditions associated to an alert, you can check it on this screen. Hover over an alert row, click the ellipsis icon that appears at the end of the row and select More Info. The following table lists and describes the standard, predefined alerts provided by Devo.
| Category | Subcategory | Alert | Description |
|---|---|---|---|
| Application Server | Apache Tomcat Server | Tomcat Startup | Triggers an alert when a Tomcat server has been started. |
| Application Server | Apache Tomcat Server | Tomcat Shutdown | Triggers an alert when a Tomcat server has been shut down. |
| Application Server | Apache Tomcat Server | Tomcat common errors | Triggers an alert when a common error is reported in a Tomcat server. For example, out of memory, max open files, database exception, servlet exception, and so on. |
| Application Server | Apache Tomcat Server | Tomcat too many GCs | Triggers an alert when there have been too many garbage collection in a short period of time. |
| Application Server | Apache Tomcat Server | Tomcat GC max time exceeded | Triggers an alert when a garbage collection takes too much time to run, having a possible adverse effect on service performance. |
| Application Server | Apache Tomcat Server | Tomcat severe errors | Triggers an alert when too many severe errors occur in a short period of time. |
| Application Server | JBoss Server | JBoss Startup | Triggers an alert when JBoss starts. |
| Application Server | JBoss Server | JBoss Shutdown | Triggers an alert when JBoss is shut down. |
| Application Server | JBoss Server | JBoss common errors | Triggers an alert when a common error is reported in a JBoss server. For example, out of memory, max open files, database exception, servlet exception, and so on. |
| Attacks | Suspicious Activity | Malicious IP Addresses | Triggers an alert when activity from blacklisted IP addresses (Alienvault OTX and TOR Network's output nodes lists) are detected in the customer logs. |
| Attacks | Suspicious Activity | Malware Domains | Triggers an alert when the customer server DNS logs report attempts to resolve domain names listed in malwaredomainlist.com and abuse.ch. |
| Attacks | Suspicious Activity | Malware URLs | Triggers an alert when the proxy navigation logs report accesses to URLs that are listed in the malwaredomainlist.com blacklist. |
| Attacks | Scanning | PortScan | Triggers an alert when a port scan is recorded in the firewall log. |
| Attacks | BruteForcing | SSH Bruteforcing | Triggers an alert when a SSH brute force attack, successful or not, has been detected in a server log. |
| Attacks | BruteForcing | DeskTop | Triggers an alert when an RDP attack, successful or not, has been detected in the Windows log. |
| Attacks | Geolocation | Unusual Connection | Triggers an alert when there is a connection from an unusual geolocation. |
| Devo | Collector | Logs format errors | Triggers an alert when you are sending logs with an incorrect format. |
| Devo | Structural common alerts | Reminder | Triggers an alert every "x" minutes while an antiflooding policy is active. |
| Devo | Structural common alerts | Recovery | Triggers an alert when an Antiflooding policy finishes. |
| Devo | Structural common alerts | Antiflooding Start | Triggers an alert when an Antiflooding policy starts. |
Monitoring | NetWork | Data Sent | Monitors the system outbound traffic in bytes/second. Default policy: avg(netSent)>=8 megabytes/second in a 10 min interval. |
| Monitoring | NetWork | Data Received | Monitors the inbound traffic in bytes/second. Default policy: avg(netRecv)>=8 megabytes/second in a 10 min interval. |
| Monitoring | Relay | Events Per Second | Monitors the traffic volume handled by an In-house Relay in Events Per Second (EPS). Default policy: avg(eps)>=5000 in a 10 min interval. |
| Monitoring | Relay | Events Per Minute | Monitors the traffic volume managed by an In-house Relay in Events Per Minute (EPM). Default policy: avg(epm)>=300.000 in a 10 min interval. |
| Monitoring | Machine Load | Load Alert | Monitors the machine load. Default policy: avg(load)>=4 in a 5 min interval. |
| Monitoring | Generic Monitoring | Staying Alive | Monitors if the service is active. |
| Monitoring | Generic Monitoring | Site Availability | Monitors the site availability. |
| Monitoring | CPU Monitoring | CPU Alert A | Monitors the systems CPU load. Default policy: avg(CPU)>75% in a 1 h interval. |
| Monitoring | CPU Monitoring | CPU Alert B | Monitors the systems CPU load. Default policy: avg(CPU)>90% in a 15 min interval. |
| Monitoring | Memory Monitoring | Available Memory A | Monitors the amount of memory available in the system. Default policy: memFree<=2% in a 10 min interval. |
| Monitoring | Memory Monitoring | Available Memory B | Monitors the amount of memory available in the system. Default policy: memFree<=10% in a 1h interval. |
| Monitoring | Disk Monitoring | Disk Alert A | Monitors the amount of free disk space available in the system. Default policy: diskFree<=10% in a 1h interval. |
| Monitoring | Disk Monitoring | Disk Alert B | Monitors the amount of free disk space available in the system. Default policy: diskFree<=2% in a 30 min interval. |
| System | Unix/Linux | Unix Critical Error | Triggers an alert when a serious error occurs on a Linux system, such as segmentation faults, potential kernel panics, I/O errors, reboots, rsyslogstart/stop, or others. |
| System | Unix/Linux | Unix Kernel Oops | Triggers an alert when a Kernel Oops message has been written to the log. |
| System | Unix/Linux | APT Packages | Triggers an alert when a package is added to or deleted from the system. |
| System | Windows | Windows Critical Error | Triggers an informative alert about general errors that have occurred on a Windows system. |
| System | MacOs | MacOs Critical Error | Triggers an informative alert about general errors that have occurred on a MacOs systems |
| System | BSD | BSD Critical Error | Triggers an informative alert about general errors that have occurred on BSD system. |
| System | VmWare | VmWareCritical Error | Triggers an informative alert about general errors that have occurred in the VMware virtualization product logs. |
| Tracking | User | Tracking User | Triggers an informative alert about the connections and activities of a specific user within the customer's system. |
| Web Server | IIS | IIS Critical Error | Triggers an alert when a critical error has been reported in the IIS Server. |
| Web Server | Generic | SSL Warning | Triggers an alert when an SSL Warning has been reported in the Web Servers. |
| Web Server | HTTP Attack | Malicious HTTP Methods | Triggers an alert when an uncommon HTTP method such as PUT or webDAV extensions has been used. Depending on the service, these may not be malicious. |
| Web Server | HTTP Attack | Proxy Abuse | Triggers an alert when there has been an attempt to use the web server as a proxy with the goal of accessing external or internal resources. Depending on the service, these may not be malicious. |
| Web Server | HTTP Attack | SuspiciousUser Agent | Triggers an alert when the web server reports activity from unusual browsers or tools used to automate tasks. |
| Web Server | Apache | Apache Critical Error | Triggers an alert when an Apache critical error such as segfault or PHP fatal error has been reported. |
| Web Server | Apache | Apache common errors | Triggers an alert when an Apache generic error has been reported. |
| Web Server | Apache | Apache Invoke dir as script | Triggers an alert when the Apache error "Attempt to invoke directory as script" has been reported. |
| Web Server | Apache | Apache client denied by server conf | Triggers an alert when there has been an attempt to access a resource that is forbidden or not stored under DocumentRoot. |
| Web Server | Apache | Apache FQDN server name not resolved | Triggers an alert when the server name is not associated with a fully qualified domain name (FQDN). |
| Web Server | Apache | Apache bind to address fail | Triggers an alert when an Apache server can't bind the specified listening port. This is often because it is in use by another service, due to SELinux/AppArmor policies. |
| Web Server | Apache | Apache favicon not found | Triggers an alert when the web server does not have a favicon. |
| Web Server | Apache | Apache too many 404 errors | Triggers an alert when there are too many 404 Not Found errors in a short period of time. This can be caused by resource scans or broken links in the web application. |
| Web Server | Apache | Apache mixing ports error | Triggers an alert when there has been an Apache configuration error in virtual hosting environments. |
| Web Server | Apache | Apache PHP fatal error | Triggers an alert when there are too many PHP errors. |
| Web Server | Apache | Apache too many byte range requests | Triggers an alert when there have been too many 206 Partial Content requests in a short period of time. This can be caused by massive downloads or a possible Apache Range Header DoS attack. |
| Web Server | Apache | Apache Shutdown | Triggers an alert when the Apache server has been shut down. |
| Web Server | Apache | Apache Startup | Triggers an alert when the Apache server has been started. |
| Web Server | Apache | Apache SSL Heartbleed | Triggers an alert when the Heartbleed bug has been detected. |
| Web Server | Apache | Apache Multiple SSL heartbeat requests | Triggers an alert when there has been more than one SSL heartbeat request made to the Apache Server. |
Related articles: