Platform alert pack: Devo Relay alerts

[ 1 Purpose ] [ 2 Included alerts ] [ 3 Prerequisites ] [ 4 Open alert pack ] [ 5 Use alert pack ]

Purpose

The Devo Relay is one of the primary methods of ingestion for logging data into the Devo platform. The relay code is provided by Devo but the infrastructure they run on is typically deployed on the customer premises for network routing purposes. Due to the deployment model it is imperative that customers have a way to be able to monitor the Devo relays and detect when there are issues for them to resolve.

Included alerts

DevoRelayConfigWarningLogs: alerts when relays begin to show warning messages. Alerts once per tuned time period if there are warning logs come back from relay’s that have been configured. Warning message alerts users that there is a condition that is worth looking into.

from syslog.relay.conf
where startswith(message,"[WARNING]")
where (machine) not in (
from siem.logtrust.alert.info
where category = "my.context"
where endswith(context, ".DevoRelayConfigWarningLogs")
select replaceall(urldecode(str(jqeval(jqcompile(".machine"),
jsonparse(extraData)))), "+", " ") as ed_machine
group every - by ed_machine
)
group every 1m by machine
select min(eventdate) as min_eventdate
select count() as count

DevoRelayErrorLogs: alerts when relays begin to show error messages. Alerts once per tuned time period if there are error logs come back from relay’s that have been configured. Warning message alerts users that there is a condition that requires the users attention due to misconfigured or installation issues.

from syslog.relay.out
where level="ERROR"
where (machine) not in (
from siem.logtrust.alert.info
where category = "my.context"
where endswith(context, ".DevoRelayErrorLogs")
select replaceall(urldecode(str(jqeval(jqcompile(".machine"),
jsonparse(extraData)))), "+", " ") as ed_machine
group every - by ed_machine
)
group every 1m by machine
select min(eventdate) as min_eventdate
select count() as count

DevoRelayLogsHearbeat: alerts when a relay fails to continue to send data to Devo indicating an issue with the relay, source, or networking. Alerts users when a relay has ceased to send heartbeat messages back to Devo, notifying the users that additional.

from syslog.relay.out
where not relayId in (
from syslog.relay.out
group every - by relayId
)
group every 1m by machine, relayId

Prerequisites

To use this alert pack, you must have the following data sources available in your domain:

Data srouces

syslog.relay.out

Open alert pack

Once you have installed the desired alerts individually, you can use the Open button at the top right of the card in Exchange to access the Alert configuration, where you can apply filters to find them and later manage them as required. You can also access this area via the Navigation pane (Administration → Alert Configuration → Available alerts).

Use alert pack

The alerts installed are deactivated by default. Access the Alert configuration area to activate those you need and assign sending policies to receive them through the desired channels.

Each alert should be tuned for a given environment or domain. For example the time period of notification for warning and errors messages can be changed to only notify users once hour, day, or week when conditions are met. Additionally, certain relay configurations might cause a warning in a specific environment, but is acceptable based on business context, in which case the alert can be configured to whitelist these conditions.

Warning and error notification alerts trigger with the first message of a given error or warning sequence with the remainder of the relevant information contained in the underlying table. When an alert triggers the user should open the table to view the entire context of the issue. From there the user can either find resolution on the documentation page below or open a support ticket for help.