alerting in NA

This support forum board is for support questions relating to Nagios Network Analyzer, our network traffic and bandwidth analysis solution.
insightcu
Posts: 14
Joined: Tue Apr 03, 2018 5:21 pm

alerting in NA

Post by insightcu »

i am trying to setup some alerts in nagios NA according to Nagios 2 feature i should be able to setup the notification for the following
Security and Reliability
Network Analyzer is capable of alerting users when suspicious activity takes place on the network.

Automated Alert System
Receive alerts when abnormal activity takes place, or when bandwidth usage exceeds your specified thresholds

the problem is i dont see how to setup those type of notification the documentation doesnt give you much information on to setup those notification, just checking what are you guys doing for alerting on suspicious activity, abnomal activity or high bandwith usage.

any help would be greatly appreciated.

thanks!

alex
User avatar
tgriep
Madmin
Posts: 9177
Joined: Thu Oct 30, 2014 9:02 am

Re: alerting in NA

Post by tgriep »

Below is the link to the document with some details in Alerts in NNA and how to set them up.
https://assets.nagios.com/downloads/nag ... alyzer.pdf

For example, if you want to get alerted if the Bytes Transferred on a source is over 10M in the last 5 minutes, you would create a new check and select your Source.
Then on Page 2 for your criteria, you would Select Bytes in the Analyze traffic for: field.
To get a warning alert for over 10Meg, put in 10000000 in the Warning Field and for a Critical Alert for example of 12Meg, you would put 12000000 in the Critical Field.
For a raw Bandwidth check, I would Select "Destination or Source" for the Where The: field and select Network and fill in the network schema in the (required) field.
Then on Step 3, you would select how you want to get Alerted.

That is a fairly generic way for getting an alert for high bandwidth usage.

You can also get bandwidth alerts on Flows, Packets and Bits/Sec by selecting then in the Analyze traffic for: field and adjust the other settings if needed.


Lets say, you want to get alerted when there is higher than normal traffic on port 22 which which could be suspicious activity.
You would pretty must set the Check up like the bandwidth check but select Port instead of Network in the second page and put on 22 on the (required) field.
Adjust the thresholds to what would be a suspicious to you and that is how you would get alerted on that.

To receive an email for abnormal activity, you would have to integrate the NNA server with a Nagios XI server as there is a Wizard in XI for sending emails for abnormal behavior.
There is not a way to natively do that in the NNA interface.
Be sure to check out our Knowledgebase for helpful articles and solutions!
insightcu
Posts: 14
Joined: Tue Apr 03, 2018 5:21 pm

Re: alerting in NA

Post by insightcu »

thanks for the information that was really helpful i still cant get the alerts to work and get some visibility on my network for abnomal activity or bandwith usage and alerting me when suspicious activity takes place. maybe its me i am not getting it
kyang

Re: alerting in NA

Post by kyang »

Could you show us how you set up alerts?

Any screenshots would be helpful.
insightcu
Posts: 14
Joined: Tue Apr 03, 2018 5:21 pm

Re: alerting in NA

Post by insightcu »

here is a screenshot
You do not have the required permissions to view the files attached to this post.
User avatar
tgriep
Madmin
Posts: 9177
Joined: Thu Oct 30, 2014 9:02 am

Re: alerting in NA

Post by tgriep »

If the Alert in your screen capture did not send an email to that user is that there could be additional settings that have to be done to get the server to send them.
Take a look at this document for more details.
https://assets.nagios.com/downloads/nag ... alyzer.pdf

The NNA server uses Sendmail the the emails and it could be blocked by your corporate infrastructure and the above document should help you fix that.

Also, can you run the following command as root and post the output so we cna check the Mail log file for any errors?

Code: Select all

tail -200 /var/log/maillog
Thanks.
Be sure to check out our Knowledgebase for helpful articles and solutions!
insightcu
Posts: 14
Joined: Tue Apr 03, 2018 5:21 pm

Re: alerting in NA

Post by insightcu »

@localhost>, size=534, class=0, nrcpts=1, msgid=<201805221925.w4MJP139001289@localhost.localdomain>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
May 22 15:27:01 localhost sendmail[1288]: w4MJP1x1001284: to=<aalexandre@insightcreditunion.com>, delay=00:02:00, xdelay=00:02:00, mailer=esmtp, pri=120537, relay=insightcreditunion.com. [173.192.109.96], dsn=4.0.0, stat=Deferred: Connection timed out with insightcreditunion.com.
May 22 15:27:01 localhost sendmail[1295]: w4MJP139001289: to=<JPeterson@insightcreditunion.com>, delay=00:02:00, xdelay=00:02:00, mailer=esmtp, pri=120534, relay=insightcreditunion.com. [173.192.109.96], dsn=4.0.0, stat=Deferred: Connection timed out with insightcreditunion.com.
May 22 15:30:00 localhost sendmail[1471]: w4MJU0cx001471: from=<nagiosna-servbot@localhost>, size=537, class=0, nrcpts=1, msgid=<201805221930.w4MJU0cx001471@localhost.localdomain>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
May 22 15:30:00 localhost sendmail[1479]: w4MJU0pT001479: from=<nagiosna-servbot@localhost>, size=534, class=0, nrcpts=1, msgid=<201805221930.w4MJU0pT001479@localhost.localdomain>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
May 22 15:32:00 localhost sendmail[1478]: w4MJU0cx001471: to=<aalexandre@insightcreditunion.com>, delay=00:02:00, xdelay=00:02:00, mailer=esmtp, pri=120537, relay=insightcreditunion.com. [173.192.109.96], dsn=4.0.0, stat=Deferred: Connection timed out with insightcreditunion.com.
May 22 15:32:00 localhost sendmail[1481]: w4MJU0pT001479: to=<JPeterson@insightcreditunion.com>, delay=00:02:00, xdelay=00:02:00, mailer=esmtp, pri=120534, relay=insightcreditunion.com. [173.192.109.96], dsn=4.0.0, stat=Deferred: Connection timed out with insightcreditunion.com.
May 22 15:35:00 localhost sendmail[1639]: w4MJZ0cl001639: from=<nagiosna-servbot@localhost>, size=537, class=0, nrcpts=1, msgid=<201805221935.w4MJZ0cl001639@localhost.localdomain>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
May 22 15:35:00 localhost sendmail[1642]: w4MJZ0Qb001642: from=<nagiosna-servbot@localhost>, size=534, class=0, nrcpts=1, msgid=<201805221935.w4MJZ0Qb001642@localhost.localdomain>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
May 22 15:37:00 localhost sendmail[1641]: w4MJZ0cl001639: to=<aalexandre@insightcreditunion.com>, delay=00:02:00, xdelay=00:02:00, mailer=esmtp, pri=120537, relay=insightcreditunion.com. [173.192.109.96], dsn=4.0.0, stat=Deferred: Connection timed out with insightcreditunion.com.
May 22 15:37:00 localhost sendmail[1645]: w4MJZ0Qb001642: to=<JPeterson@insightcreditunion.com>, delay=00:02:00, xdelay=00:02:00, mailer=esmtp, pri=120534, relay=insightcreditunion.com. [173.192.109.96], dsn=4.0.0, stat=Deferred: Connection timed out with insightcreditunion.com.
May 22 15:40:02 localhost sendmail[1861]: w4MJe28j001861: from=<nagiosna-servbot@localhost>, size=537, class=0, nrcpts=1, msgid=<201805221940.w4MJe28j001861@localhost.localdomain>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
May 22 15:40:02 localhost sendmail[1864]: w4MJe2j2001864: from=<nagiosna-servbot@localhost>, size=534, class=0, nrcpts=1, msgid=<201805221940.w4MJe2j2001864@localhost.localdomain>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
May 22 15:42:02 localhost sendmail[1863]: w4MJe28j001861: to=<aalexandre@insightcreditunion.com>, delay=00:02:00, xdelay=00:02:00, mailer=esmtp, pri=120537, relay=insightcreditunion.com. [173.192.109.96], dsn=4.0.0, stat=Deferred: Connection timed out with insightcreditunion.com.
May 22 15:42:02 localhost sendmail[1866]: w4MJe2j2001864: to=<JPeterson@insightcreditunion.com>, delay=00:02:00, xdelay=00:02:00, mailer=esmtp, pri=120534, relay=insightcreditunion.com. [173.192.109.96], dsn=4.0.0, stat=Deferred: Connection timed out with insightcreditunion.com.
User avatar
tgriep
Madmin
Posts: 9177
Joined: Thu Oct 30, 2014 9:02 am

Re: alerting in NA

Post by tgriep »

The NNA server is relaying the emails to the insightcreditunion.com server and that system is blocking the NNA server.
Either get someone to allow the NNA server to forward emails or follow that PDF file to configure a knows SMTP server that allows the NNA server to forward emails.
Be sure to check out our Knowledgebase for helpful articles and solutions!
insightcu
Posts: 14
Joined: Tue Apr 03, 2018 5:21 pm

Re: alerting in NA

Post by insightcu »

i made the change and save the config now nagios stop pulling data from my devices. this has happened before when i was testing i thought it was something else i did nope. i had to redeploy a new appliance. no more sFlow this is crazy
User avatar
tgriep
Madmin
Posts: 9177
Joined: Thu Oct 30, 2014 9:02 am

Re: alerting in NA

Post by tgriep »

The Flow data comes from the remote device, the NNA server does not poll the data at all.
All it does is listen for the data from the devices.

Do the sources start and run in the NNA GUI?

Do you see any errors in this log file when starting the sources?

Code: Select all

/usr/local/nagiosna/var/backend.log
Be sure to check out our Knowledgebase for helpful articles and solutions!
Locked