Home » Web Services Implementation Guide

Alert Service Operations

Submitted by Anonymous on Tue, 06/03/2008 - 16:55

Alert Service Operations

The Alert Service operations let you manage alerts in the LogLogic Appliance.

Overview

The Alert Service operations let you create, read, update, and delete alerts as well as view all alerts in the LogLogic Appliance.

Using the createAlert and updateAlert operations, you can define and update rules to detect unusual traffic on your network or detect Appliance system anomalies. Alerts can be configured to generate SNMP events and/or send an email notification when the alert rule is triggered for a specific type of alert.

The alert types are Adapter Baseline, Cisco Pix Messages, Message Volume, Network Policy, Pre-defined Search Filter, Ratio Based, System, VPN Connections, VPN Messages, and VPN Statistics. For more information on supported alerts, see Alert Types or the online help for each specific alert. In the LogLogic Appliance, to view the user interface implementation navigate to Alerts.

When creating (createAlert) or updating (updateAlert) an alert, you must specify a value for the alertRules Common Request Parameter. The alertRules value is used to define alert rules for a specific alert.

Implementation Guidelines

The following are general implementation guidelines for the Alert Service operations:


  • A set of Common Request Parameters are required for each Alert Service operation.
  • The createAlert Operation, createAlertRemote Operation, updateAlert Operation, and updateAlertRemote Operation require that you specify Common and Alert-Specific Request Parameters. Alert-Specific Request Parameters are specified using the alertRules Common Request Parameter.
  • Alert Rules, defined in the alertRules Common Request Parameter, are specified as a string in the format:
    “/parameter1/valueA//parameter2/valueD/valueE/”
    For example, a rule for the Network Policy alert is:
    “fewerThan/100//moreThan/10//alertFilter/False//policyAction/
    Accept//srcIPMin/10.1.2.3//srcIPMax/255.255.255.255//
    srcPortMin/0//srcPortMax/100//destIPMin/10.1.1.123//destIPMax/
    255.255.255.255//destPortMin/0//destPortMax/100//protocol/all”

For specific usage rules, see Common Request Parameters and Alert-Specific Request Parameters.

Alert Service Operation Definitions

There are two kinds of operations:


  • local - operation is performed on the local Appliance itself
  • remote - operations (names ending with Remote) performed on a specified remote

The Alert Service Operations are as follows:

Status Codes

The Status Codes are:

2000 Server success
4000 Unauthorized request
5000 Invalid parameter, getStatusMessage() contains detail information about the error

Common Request Parameters

A set of Common Request Parameters are required for each of the Alert Service operations. When using the createAlert or updateAlert operations, you must specify the alertRules parameter.

Common Request Parameters usage must follow several rules:

  • You must specify a value for all Required Common Request Parameters.
  • All Common Request parameters must be implemented in the order in which they appear in the Request Parameters section for each of the Alert Service operations.
  • For Common Request Parameters, you must specify the value of the parameter only. Note that LogLogic expects the values in the order defined in this document.
  • All values for Common Request Parameters must be enclosed by double quotation marks (“value”).

TABLE 1: Alert Service Common Request Parameters

Parameter Description Values Required Type
authToken Token string returned from the authentication service or the “username/password”.   yes string
applianceIp The managed Appliance on which you perform the operation.
If the value is blank, it retrieves the Appliance IP address from the local Appliance.
This parameter is available only for Management Station Appliances using operations with Remote in the name.		 IP address of a managed Appliance. To specify an IP address, use the standard IP address format. For example:
10.1.2.3		 yes
(for xxxxRemote operations only)		 string
alertType Type of alert, such as Network Policy Alert or System Alert. For a list of alert types, see Alert Types . yes string
name Name of the alert. Any text up to 64 characters in length. yes string
desc Description for the remote device. Any text up to 64 characters in length. optional string
priorityName Priority level of the alert. Possible values:
low, medium, and, high		 yes string
enabled Determines if the alert is enabled or disabled.
(Appears as enabled or disabled in returned value.)		 Possible values:
yes -- enabled
no -- disabled
The default is no.		 yes string
deviceNames List of devices. Valid entries contain one or more devices and/or device groups.
To see a list of all available devices and device groups, use the Devices tab in the LogLogic Appliance user interface.
To access the Devices tab, click Alerts > Manage Alerts, click the Add New button, select an alert type, and then click the Devices tab.		 List of valid devices and/or groups. Use a forward slash (/) as a delimiter for multiple entries. For example:
10.1.1.1/10.1.1.7
If a device has a forward slash (/) in the name, such as HP/UX or IBM i5/OS, you must replace the forward slash with %2F. (The F is case-sensitive.)
For example: HP%2FUX		 yes string
usernames User names for the alerts. Specify a single user or a user group. Use a forward slash (/) as a delimiter for multiple entries. For example:
user1/usergroup7		 yes string
trapIds Trap name or IP Address to send the SNMP messages when the alert is triggered. Use a forward slash (/) as a delimiter for multiple entries. For example:
trap1/trap2/trap3		 yes string
resetTime Time to wait between alerts that are generated.
 The Appliance does not issue an additional alert of the same type until the resetTime elapses. Any positive integer.
The value is in seconds. For example, the value 120 represents two minutes.		 yes number
trackIndividualDevice Enables or disables individual device tracking. Possible values:
yes -- enabled
no -- disabled
The default is no.		 yes string
alertRules Alert rule specific to the alert type. See Alert-Specific Request Parameters for a list of specific alert rules for each alert type. yes string
snmpOId Specifies an SNMP OID to identify the originator of this alert. Any valid SNMP OID no string
changeNameTo New name of the alert.
If empty, the object name is unchanged.		 Any text up to 64 characters in length. yes
(for updateAlert and updateAlertRemote only)		 string

Alert-Specific Request Parameters

You must specify the alert rules for each specific alert type you are managing. Alert Rules are defined using the alertRules Common Request Parameter. The following section contains alert-specific parameters for each of the alert types. The alert types are Adapter Baseline, Cisco Pix Messages, Message Volume, Network Policy, Pre-defined Search Filter, Ratio Based, System, VPN Connections, VPN Messages, and VPN Statistics.

Alert-Specific Request Parameters usage must follow several rules:

  • All Alert-Specific Parameters can be implemented in any order. LogLogic recommends that you implement the alert rules in a consistent order and format to make managing the alert rules easier.
  • Alert-Specific parameter values must include double quotation marks around the entire alert rule. For example:
    “param1/valueA//param2/valueC”
  • If the name of a device or the parameter value includes a forward slash (/), such as
    HP/UX, IBM i5/OS, or Accept/Total, you must replace the forward slash with %2F. (The F is case-sensitive.)

Examples: HP%2FUX, IBM i5%2FOS, or Accept%2FTotal

  • Use forward slash marks as delimiters when specifying alert rules. Use a single forward slash mark (/) as a delimiter to define multiple values for a parameter. Use double forward slash marks (//) as delimiters for parameters. For example:

    • param1/valueA/param2//valueC/valueD//param3/valueE

    where param1, param2, and param3 are parameters and valueA, valueC, valueD, and valueE are values for param1, param2, and param3, respectively.

    The example assigns the following name/value pairs:

    param1 = valueA

    param2 = valueC, valueD

    param3 = valueE

    The Alert-Specific Request Parameters are as follows:

    5
    Your rating: None Average: 5 (1 vote)

    User login

    Current Poll

    What programming language are you using to communicate with the LogLogic API?:

    Recent Comments