Markl Trusted Contributor.
Trusted Contributor.
553 views

How to create Logger Alert for Default Storage Group

Jump to solution

Hi all,

I want to create an alert to detect when the Default Storage Group usage is >90%. I know that in Configuration/Filter there are several templates.

I have seen this one:

SystemAlert - Storage Group Usage Above 95% (CEF format) --> .*?storagegroup:100\|Storage Group space used\|.*?cn1=(9[6-9]|100).* :AND: storageGroup(Internal Event Storage Group)

This filter is for Internal Event Storage Group. I´ve searched in the Logger but there isn´t any event about Default Storage Group Usage.

I don´t know if " .*?storagegroup:100\|Storage Group space used\|.*?cn1=(9[6-9]|100).* :AND: storageGroup(Default Storage Group)" is right or not

Could anyone help me about this alert?

Thanks in advance

Kind Regards,

Marcos

Be Water My Friend
Labels (2)
Tags (1)
0 Likes
1 Solution

Accepted Solutions
MaryCordova Frequent Contributor.
Frequent Contributor.

Re: How to create Logger Alert for Default Storage Group

Jump to solution

Hi Marcos,

I have this setup on my primary logger to alert if it, or any of the secondary loggers, reach 80% full.  Here is the query:

_storageGroup IN ["Internal Event Storage Group"] AND deviceEventClassId = "storagegroup:100" AND deviceCustomNumber1 >= 80 | dedup deviceAddress

Save this as a Saved Search, peered (or local), and have it run for Custom time range Dynamic $Now - 1h. 

Then schedule a task to execute this search.  The important thing here are the Match Count and Threshold.  For me this runs every morning at 8AM and will email my ticketing system automatically opening a ticket if any of my loggers have a storage group at 80% or higher.  This covers all my loggers and all the storage groups on those loggers. 

schduledsearch.PNG

Hope this helps, please mark this answer as correct or helpful if so

-Mary

0 Likes
2 Replies
MaryCordova Frequent Contributor.
Frequent Contributor.

Re: How to create Logger Alert for Default Storage Group

Jump to solution

Hi Marcos,

I have this setup on my primary logger to alert if it, or any of the secondary loggers, reach 80% full.  Here is the query:

_storageGroup IN ["Internal Event Storage Group"] AND deviceEventClassId = "storagegroup:100" AND deviceCustomNumber1 >= 80 | dedup deviceAddress

Save this as a Saved Search, peered (or local), and have it run for Custom time range Dynamic $Now - 1h. 

Then schedule a task to execute this search.  The important thing here are the Match Count and Threshold.  For me this runs every morning at 8AM and will email my ticketing system automatically opening a ticket if any of my loggers have a storage group at 80% or higher.  This covers all my loggers and all the storage groups on those loggers. 

schduledsearch.PNG

Hope this helps, please mark this answer as correct or helpful if so

-Mary

0 Likes
Highlighted
Markl Trusted Contributor.
Trusted Contributor.

Re: How to create Logger Alert for Default Storage Group

Jump to solution

Hi Mary Cordova,

Sorry for delay in answer you.Thanks for your answer.

Your option is right. The last days I get another option hepful. I configure a search with a regex: /CEF:0|ArcSight|Logger|.*

This regex get the Logger events and I send those event to a connector and I´ve configured an alert in Arcsight Express to detect deviceCustomNumber1 > value.

Kind Regards,

Marcos

Be Water My Friend
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.