alerting in NA
alerting in NA
i am trying to setup some alerts in nagios NA according to Nagios 2 feature i should be able to setup the notification for the following
Security and Reliability
Network Analyzer is capable of alerting users when suspicious activity takes place on the network.
Automated Alert System
Receive alerts when abnormal activity takes place, or when bandwidth usage exceeds your specified thresholds
the problem is i dont see how to setup those type of notification the documentation doesnt give you much information on to setup those notification, just checking what are you guys doing for alerting on suspicious activity, abnomal activity or high bandwith usage.
any help would be greatly appreciated.
thanks!
alex
Security and Reliability
Network Analyzer is capable of alerting users when suspicious activity takes place on the network.
Automated Alert System
Receive alerts when abnormal activity takes place, or when bandwidth usage exceeds your specified thresholds
the problem is i dont see how to setup those type of notification the documentation doesnt give you much information on to setup those notification, just checking what are you guys doing for alerting on suspicious activity, abnomal activity or high bandwith usage.
any help would be greatly appreciated.
thanks!
alex
Re: alerting in NA
Below is the link to the document with some details in Alerts in NNA and how to set them up.
https://assets.nagios.com/downloads/nag ... alyzer.pdf
For example, if you want to get alerted if the Bytes Transferred on a source is over 10M in the last 5 minutes, you would create a new check and select your Source.
Then on Page 2 for your criteria, you would Select Bytes in the Analyze traffic for: field.
To get a warning alert for over 10Meg, put in 10000000 in the Warning Field and for a Critical Alert for example of 12Meg, you would put 12000000 in the Critical Field.
For a raw Bandwidth check, I would Select "Destination or Source" for the Where The: field and select Network and fill in the network schema in the (required) field.
Then on Step 3, you would select how you want to get Alerted.
That is a fairly generic way for getting an alert for high bandwidth usage.
You can also get bandwidth alerts on Flows, Packets and Bits/Sec by selecting then in the Analyze traffic for: field and adjust the other settings if needed.
Lets say, you want to get alerted when there is higher than normal traffic on port 22 which which could be suspicious activity.
You would pretty must set the Check up like the bandwidth check but select Port instead of Network in the second page and put on 22 on the (required) field.
Adjust the thresholds to what would be a suspicious to you and that is how you would get alerted on that.
To receive an email for abnormal activity, you would have to integrate the NNA server with a Nagios XI server as there is a Wizard in XI for sending emails for abnormal behavior.
There is not a way to natively do that in the NNA interface.
https://assets.nagios.com/downloads/nag ... alyzer.pdf
For example, if you want to get alerted if the Bytes Transferred on a source is over 10M in the last 5 minutes, you would create a new check and select your Source.
Then on Page 2 for your criteria, you would Select Bytes in the Analyze traffic for: field.
To get a warning alert for over 10Meg, put in 10000000 in the Warning Field and for a Critical Alert for example of 12Meg, you would put 12000000 in the Critical Field.
For a raw Bandwidth check, I would Select "Destination or Source" for the Where The: field and select Network and fill in the network schema in the (required) field.
Then on Step 3, you would select how you want to get Alerted.
That is a fairly generic way for getting an alert for high bandwidth usage.
You can also get bandwidth alerts on Flows, Packets and Bits/Sec by selecting then in the Analyze traffic for: field and adjust the other settings if needed.
Lets say, you want to get alerted when there is higher than normal traffic on port 22 which which could be suspicious activity.
You would pretty must set the Check up like the bandwidth check but select Port instead of Network in the second page and put on 22 on the (required) field.
Adjust the thresholds to what would be a suspicious to you and that is how you would get alerted on that.
To receive an email for abnormal activity, you would have to integrate the NNA server with a Nagios XI server as there is a Wizard in XI for sending emails for abnormal behavior.
There is not a way to natively do that in the NNA interface.
Be sure to check out our Knowledgebase for helpful articles and solutions!
Re: alerting in NA
thanks for the information that was really helpful i still cant get the alerts to work and get some visibility on my network for abnomal activity or bandwith usage and alerting me when suspicious activity takes place. maybe its me i am not getting it
Re: alerting in NA
Could you show us how you set up alerts?
Any screenshots would be helpful.
Any screenshots would be helpful.
Re: alerting in NA
here is a screenshot
You do not have the required permissions to view the files attached to this post.
Re: alerting in NA
If the Alert in your screen capture did not send an email to that user is that there could be additional settings that have to be done to get the server to send them.
Take a look at this document for more details.
https://assets.nagios.com/downloads/nag ... alyzer.pdf
The NNA server uses Sendmail the the emails and it could be blocked by your corporate infrastructure and the above document should help you fix that.
Also, can you run the following command as root and post the output so we cna check the Mail log file for any errors?
Thanks.
Take a look at this document for more details.
https://assets.nagios.com/downloads/nag ... alyzer.pdf
The NNA server uses Sendmail the the emails and it could be blocked by your corporate infrastructure and the above document should help you fix that.
Also, can you run the following command as root and post the output so we cna check the Mail log file for any errors?
Code: Select all
tail -200 /var/log/maillog
Be sure to check out our Knowledgebase for helpful articles and solutions!
Re: alerting in NA
@localhost>, size=534, class=0, nrcpts=1, msgid=<201805221925.w4MJP139001289@localhost.localdomain>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
May 22 15:27:01 localhost sendmail[1288]: w4MJP1x1001284: to=<aalexandre@insightcreditunion.com>, delay=00:02:00, xdelay=00:02:00, mailer=esmtp, pri=120537, relay=insightcreditunion.com. [173.192.109.96], dsn=4.0.0, stat=Deferred: Connection timed out with insightcreditunion.com.
May 22 15:27:01 localhost sendmail[1295]: w4MJP139001289: to=<JPeterson@insightcreditunion.com>, delay=00:02:00, xdelay=00:02:00, mailer=esmtp, pri=120534, relay=insightcreditunion.com. [173.192.109.96], dsn=4.0.0, stat=Deferred: Connection timed out with insightcreditunion.com.
May 22 15:30:00 localhost sendmail[1471]: w4MJU0cx001471: from=<nagiosna-servbot@localhost>, size=537, class=0, nrcpts=1, msgid=<201805221930.w4MJU0cx001471@localhost.localdomain>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
May 22 15:30:00 localhost sendmail[1479]: w4MJU0pT001479: from=<nagiosna-servbot@localhost>, size=534, class=0, nrcpts=1, msgid=<201805221930.w4MJU0pT001479@localhost.localdomain>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
May 22 15:32:00 localhost sendmail[1478]: w4MJU0cx001471: to=<aalexandre@insightcreditunion.com>, delay=00:02:00, xdelay=00:02:00, mailer=esmtp, pri=120537, relay=insightcreditunion.com. [173.192.109.96], dsn=4.0.0, stat=Deferred: Connection timed out with insightcreditunion.com.
May 22 15:32:00 localhost sendmail[1481]: w4MJU0pT001479: to=<JPeterson@insightcreditunion.com>, delay=00:02:00, xdelay=00:02:00, mailer=esmtp, pri=120534, relay=insightcreditunion.com. [173.192.109.96], dsn=4.0.0, stat=Deferred: Connection timed out with insightcreditunion.com.
May 22 15:35:00 localhost sendmail[1639]: w4MJZ0cl001639: from=<nagiosna-servbot@localhost>, size=537, class=0, nrcpts=1, msgid=<201805221935.w4MJZ0cl001639@localhost.localdomain>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
May 22 15:35:00 localhost sendmail[1642]: w4MJZ0Qb001642: from=<nagiosna-servbot@localhost>, size=534, class=0, nrcpts=1, msgid=<201805221935.w4MJZ0Qb001642@localhost.localdomain>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
May 22 15:37:00 localhost sendmail[1641]: w4MJZ0cl001639: to=<aalexandre@insightcreditunion.com>, delay=00:02:00, xdelay=00:02:00, mailer=esmtp, pri=120537, relay=insightcreditunion.com. [173.192.109.96], dsn=4.0.0, stat=Deferred: Connection timed out with insightcreditunion.com.
May 22 15:37:00 localhost sendmail[1645]: w4MJZ0Qb001642: to=<JPeterson@insightcreditunion.com>, delay=00:02:00, xdelay=00:02:00, mailer=esmtp, pri=120534, relay=insightcreditunion.com. [173.192.109.96], dsn=4.0.0, stat=Deferred: Connection timed out with insightcreditunion.com.
May 22 15:40:02 localhost sendmail[1861]: w4MJe28j001861: from=<nagiosna-servbot@localhost>, size=537, class=0, nrcpts=1, msgid=<201805221940.w4MJe28j001861@localhost.localdomain>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
May 22 15:40:02 localhost sendmail[1864]: w4MJe2j2001864: from=<nagiosna-servbot@localhost>, size=534, class=0, nrcpts=1, msgid=<201805221940.w4MJe2j2001864@localhost.localdomain>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
May 22 15:42:02 localhost sendmail[1863]: w4MJe28j001861: to=<aalexandre@insightcreditunion.com>, delay=00:02:00, xdelay=00:02:00, mailer=esmtp, pri=120537, relay=insightcreditunion.com. [173.192.109.96], dsn=4.0.0, stat=Deferred: Connection timed out with insightcreditunion.com.
May 22 15:42:02 localhost sendmail[1866]: w4MJe2j2001864: to=<JPeterson@insightcreditunion.com>, delay=00:02:00, xdelay=00:02:00, mailer=esmtp, pri=120534, relay=insightcreditunion.com. [173.192.109.96], dsn=4.0.0, stat=Deferred: Connection timed out with insightcreditunion.com.
May 22 15:27:01 localhost sendmail[1288]: w4MJP1x1001284: to=<aalexandre@insightcreditunion.com>, delay=00:02:00, xdelay=00:02:00, mailer=esmtp, pri=120537, relay=insightcreditunion.com. [173.192.109.96], dsn=4.0.0, stat=Deferred: Connection timed out with insightcreditunion.com.
May 22 15:27:01 localhost sendmail[1295]: w4MJP139001289: to=<JPeterson@insightcreditunion.com>, delay=00:02:00, xdelay=00:02:00, mailer=esmtp, pri=120534, relay=insightcreditunion.com. [173.192.109.96], dsn=4.0.0, stat=Deferred: Connection timed out with insightcreditunion.com.
May 22 15:30:00 localhost sendmail[1471]: w4MJU0cx001471: from=<nagiosna-servbot@localhost>, size=537, class=0, nrcpts=1, msgid=<201805221930.w4MJU0cx001471@localhost.localdomain>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
May 22 15:30:00 localhost sendmail[1479]: w4MJU0pT001479: from=<nagiosna-servbot@localhost>, size=534, class=0, nrcpts=1, msgid=<201805221930.w4MJU0pT001479@localhost.localdomain>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
May 22 15:32:00 localhost sendmail[1478]: w4MJU0cx001471: to=<aalexandre@insightcreditunion.com>, delay=00:02:00, xdelay=00:02:00, mailer=esmtp, pri=120537, relay=insightcreditunion.com. [173.192.109.96], dsn=4.0.0, stat=Deferred: Connection timed out with insightcreditunion.com.
May 22 15:32:00 localhost sendmail[1481]: w4MJU0pT001479: to=<JPeterson@insightcreditunion.com>, delay=00:02:00, xdelay=00:02:00, mailer=esmtp, pri=120534, relay=insightcreditunion.com. [173.192.109.96], dsn=4.0.0, stat=Deferred: Connection timed out with insightcreditunion.com.
May 22 15:35:00 localhost sendmail[1639]: w4MJZ0cl001639: from=<nagiosna-servbot@localhost>, size=537, class=0, nrcpts=1, msgid=<201805221935.w4MJZ0cl001639@localhost.localdomain>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
May 22 15:35:00 localhost sendmail[1642]: w4MJZ0Qb001642: from=<nagiosna-servbot@localhost>, size=534, class=0, nrcpts=1, msgid=<201805221935.w4MJZ0Qb001642@localhost.localdomain>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
May 22 15:37:00 localhost sendmail[1641]: w4MJZ0cl001639: to=<aalexandre@insightcreditunion.com>, delay=00:02:00, xdelay=00:02:00, mailer=esmtp, pri=120537, relay=insightcreditunion.com. [173.192.109.96], dsn=4.0.0, stat=Deferred: Connection timed out with insightcreditunion.com.
May 22 15:37:00 localhost sendmail[1645]: w4MJZ0Qb001642: to=<JPeterson@insightcreditunion.com>, delay=00:02:00, xdelay=00:02:00, mailer=esmtp, pri=120534, relay=insightcreditunion.com. [173.192.109.96], dsn=4.0.0, stat=Deferred: Connection timed out with insightcreditunion.com.
May 22 15:40:02 localhost sendmail[1861]: w4MJe28j001861: from=<nagiosna-servbot@localhost>, size=537, class=0, nrcpts=1, msgid=<201805221940.w4MJe28j001861@localhost.localdomain>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
May 22 15:40:02 localhost sendmail[1864]: w4MJe2j2001864: from=<nagiosna-servbot@localhost>, size=534, class=0, nrcpts=1, msgid=<201805221940.w4MJe2j2001864@localhost.localdomain>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
May 22 15:42:02 localhost sendmail[1863]: w4MJe28j001861: to=<aalexandre@insightcreditunion.com>, delay=00:02:00, xdelay=00:02:00, mailer=esmtp, pri=120537, relay=insightcreditunion.com. [173.192.109.96], dsn=4.0.0, stat=Deferred: Connection timed out with insightcreditunion.com.
May 22 15:42:02 localhost sendmail[1866]: w4MJe2j2001864: to=<JPeterson@insightcreditunion.com>, delay=00:02:00, xdelay=00:02:00, mailer=esmtp, pri=120534, relay=insightcreditunion.com. [173.192.109.96], dsn=4.0.0, stat=Deferred: Connection timed out with insightcreditunion.com.
Re: alerting in NA
The NNA server is relaying the emails to the insightcreditunion.com server and that system is blocking the NNA server.
Either get someone to allow the NNA server to forward emails or follow that PDF file to configure a knows SMTP server that allows the NNA server to forward emails.
Either get someone to allow the NNA server to forward emails or follow that PDF file to configure a knows SMTP server that allows the NNA server to forward emails.
Be sure to check out our Knowledgebase for helpful articles and solutions!
Re: alerting in NA
i made the change and save the config now nagios stop pulling data from my devices. this has happened before when i was testing i thought it was something else i did nope. i had to redeploy a new appliance. no more sFlow this is crazy
Re: alerting in NA
The Flow data comes from the remote device, the NNA server does not poll the data at all.
All it does is listen for the data from the devices.
Do the sources start and run in the NNA GUI?
Do you see any errors in this log file when starting the sources?
All it does is listen for the data from the devices.
Do the sources start and run in the NNA GUI?
Do you see any errors in this log file when starting the sources?
Code: Select all
/usr/local/nagiosna/var/backend.log
Be sure to check out our Knowledgebase for helpful articles and solutions!