Skip to content

Watcher Policies

Watcher Policies is a standard configuration interface for adding, editing, and removing the policies used by the Watcher Engine. These policies poll for certain events (or lack of events) within a time period and trigger a Meta Event. Examples of Watcher policies include sending an event when there have been no syslog messages from a device in 15 minutes and sending an event when a user has three failed login attempts within 15 minutes.

Refer to the Standard Configuration Interface guide for details on interacting with the grid and form.

This user interface calls REST methods from api/event/watcherPolicies.

The UI path for this interface is Configuration -> Events -> Processing -> Watcher Policies.

Form Fields

  • Name - The name of the watcher policy.

  • Description - The description of the watcher policy.

  • Poll Interval (seconds) - How often the policy is polled, in seconds.

  • State - The status of the watcher policy.

  • Threshold

    • Metric - The method the watcher policy will use with the Field to determine whether or not the event should be created.

      • Count will return the number of matching events.

      • Summation will return the sum of Field values of matching events.

      • Maximum will return the highest Field value of matching events.

      • Minimum will return the lowest Field value of matching events.

      • Average will return the arithmetic mean (Sum/Count) of the Field values of matching events.

    • Field - The Event field used by the watcher policy with the Metric to determine whether or not the event should be created.

    • Compare - The value comparison operator that will be used.

    • Value - The value that will be used in the comparison.

  • Action

    • Type - Type if action to take when threshold is crossed: Meta Event or Notification.

    • Meta Event - If Type is set to Meta Event, this is Meta Event that is created if the policy threshold is crossed.

    • Notification Profile - If Type is set to Notification, the notification profile used when sending notifications.

    • Notification Template - If Type is set to Notification, the notification template used when sending notifications.

    • Email Addresses - If Type is set to Notification, this is a comma-separated list of recipients of email addresses.

  • Criteria

    • Type - Type of search to match events to: Guided or Manual SQL.

    • Group By Set - Set to group the events. For example, setting this to Node would perform the threshold comparisons once for each set of events, where each set is for only a single Node. Any Event field can be used. If multiple fields are used, they should be comma delimited.

    • Advanced Manual Where - If Type is set to Manual SQL, the SQL statement that is used to limit the Events that the threshold comparisons will be performed on.

    • Fields - If Type is set to Guided, the event filters determine which events trigger an alert.

      Note

      Fields match against the raw values in the realtime Events database and do NOT respect Conversions or Display Formats. (e.g. "Severity = 5" to match critical events)

Meta

Default Watcher Policies

  • Login Failure x3

  • Missing Syslog Heartbeat