Submit a ticketCall us

Systems Monitoring for Dummies
Our new eBook will teach you the fundamentals and help you create monitors and alerts that are effective, meaningful, and actionable. Monitoring is more than a checkbox on your to-do list. This free eBook will give you practical advice to help you succeed in all aspects of monitoring – discovery, alerting, remediation, and troubleshooting. Don’t miss out on this indispensable resource for newbies, experienced IT pros, and everyone in between. Register Now.

Home > Success Center > Kiwi Syslog Server > Kiwi Syslog Server Administrator Guide > Add rules, filters, and actions > Add a filter > Trigger actions based on flags or counters

Trigger actions based on flags or counters

Table of contents
No headers

This feature is available only in the licensed version.

Use Flags/Counters filters to trigger or suppress actions based on the number of times a filter returns TRUE during the specified interval. The following Flags/Counters filters are available:

  • Use a Time interval filter to avoid triggering the same action multiple times during the specified interval.

    Example: a rule sends an email alert when a message contains the text "link down." When a problem occurs, the link sometimes goes up and down many times a minute, and you receive an email alert for each "link down" message. To prevent this, you include a Time interval filter with a value of 5. Kiwi Syslog Server sends an email alert for the first "link down" message. Other "link down" messages during next five minutes do not trigger additional email alerts.

  • Use a Threshold filter to be alerted if a message is sent more than a certain number of times during the specified interval.

    Example: you occasionally receive a message containing the text "port scan detected," but you don't want to be alerted unless it occurs more than five times within a minute. That frequency would indicate that someone is persistently scanning your network.

    You can also use this filter to watch for failed login attempts. If the text "login failed" occurs more than five times within 30 seconds, it could indicate a brute force login attempt.

  • Use a Timeout filter to monitor syslog devices and send an alert when a device is unexpectedly quiet. This filter triggers an action when the filters that precede it in the rule are not met a minimum number of times per interval.

    Example: your firewall normally generates at least 200 messages per hour. If the number of messages drops below 10 in an hour, this filter triggers an email alert.

The internal counter or timer used by these filters can be reset with the action to reset flags and counters.

  1. From the Kiwi Syslog Service Manager, choose File > Setup.
  2. Add a new rule, or locate an existing rule.
  3. Right-click the Filters node below the rule, and choose Add Filter.
  4. Replace the default name with a descriptive name. (The name does not have to be unique.)
  5. In the Field menu, select Flags/Counters.

  6. Select an option from the Filter Type menu.

    Time interval

    Enter a time interval in minutes.

    A Time interval filter should be the last filter in a rule. You can reorder filters.

    Threshold
    1. Enter the threshold and interval (in seconds).
    2. To have a separate count for messages from different IP addresses, select Maintain individual threshold counts.

    A Threshold filter should be the last filter in a rule.

    Timeout

    To configure a Timeout filter:

    1. Add one or more filters before the Timeout filter to specify which messages to count. (For example, to watch for inactivity on the firewall, create a filter to include only messages from the firewall's IP address.)
    2. In the Timeout filter, enter the minimum number of times the message should be received.
    3. Enter the time interval in minutes.
    4. (Optional) To avoid triggering an alert at times when low activity is expected, add a Time of day filter to include only certain days and time periods.

    Other than the optional Time of day filter, a timeout filter should be the last filter in a rule.

    When this filter returns TRUE, a message with the following format is passed to any actions in the rule:

    Priority: Local7.Debug (191)

    HostIP: 127.0.0.1 (localhost)

    MsgText: The rule 'ruleName' has only been matched x times in y minutes. The threshold was set for z times.

  7. (Optional) Test the filter.
  8. Click Apply to save the filter.

    Actions in the associated rule are triggered when the specified threshold is exceeded (for Time interval and Threshold filters) or is not met (for Timeout filters).

Last modified

Tags

Classifications

Public