Document toolboxDocument toolbox

Platform alert pack: Collector

Owned by Borja Moro Moreno
Last updated: Jul 23, 2024
2 min read
[ 1 Purpose ] [ 2 Included alerts ] [ 3 Prerequisites ] [ 4 Open alert pack ] [ 5 Use alert pack ]
10_Platform alert pack Collector.png

Purpose

The collectors are tools that allow users to integrate different platforms and systems with the Devo application and stream their data flows easily. Monitoring their activity is crucial for maintaining a healthy collector environment, and this alert pack helps with this task. It provides detections to warn you when something’s out of the ordinary, allowing you to determine if action must be taken.

This alert pack complements the Devo Collector Monitoring Activeboard, so we highly recommend using them in combination.

Included alerts

SecOpsCollectorCredentials: detects any credential problem (401 or 403 error) in any collector running in the domain, and also warnings that could mean error as well.

from devo.collectors.out where (upper(level2)="ERROR" or upper(level2)="WARNING") and (msg->"CODE:0403" or msg->"received 401" or msg->"code 401" or msg->"401 client" or msg->"401 Client" or msg->"401: Invalid" or msg->"402: GET" or msg->"HttpError 403" or msg->"code: 403" or msg->"403 Client" or msg->"403 client" or msg->": 401" or msg->"[403" or msg->":403" or msg->"HttpError 401" or msg->"code: 403" or msg->"[CODE:401]" or msg->"(401)" or msg->"code 403:" or msg->"[401]" or msg->"[CODE:0401]" or msg->"403 GitHub" or msg->"403 Forbidden")

Prerequisites

To use this alert pack, you must have the following data sources available in your domain:

Data srouces

  • devo.collectors.out

 

Open alert pack

Once you have installed the desired alerts individually, you can use the Open button at the top right of the card in Exchange to access the Alert configuration, where you can apply filters to find them and later manage them as required. You can also access this area via the Navigation pane (Administration → Alert Configuration → Available alerts).

Platform alert packs (use alert pack).png

Use alert pack

The alerts installed are deactivated by default. Access the Alert configuration area to activate those you need and assign sending policies to receive them through the desired channels.