Highlighted
Absent Member.
Absent Member.
596 views

Data Monitor (or other) to monitor possible device down

I am trying to create a Data Monitor that will look for devices (end devices not agents) that do not report any data withing a specific amount of time. Data monitors are good at collecting data but not good at letting you know when data isn't there. Anybody know of a way to do this? Or something besides a Data Monitor that could provide this functionality? Thanks.
0 Likes
Reply
5 Replies
Highlighted
Absent Member.
Absent Member.

RE: Data Monitor (or other) to monitor possible device down

I've created a Data Monitor that watches for external traffic coming into our DMZ (via firewalls). If it doesn't see any data in the past 5 mins it will display red and indicate "device down". I just made a filter that look for any Attack Address that falls outside our internal subnet. For example if you owned 56.x.x.x., you would create the filter to look for data between 0.0.0.0,55.255.255.255 AND between 57.0.0.0,255.255.255.255 Then, I copied the "Device - Heads Up" Data monitor and modified it to include my filter and a few other changes. It now lets me know when there is no traffic coming into my network for a period of time - which in my network would raise a few eyebrows since we should always be seeing outside traffic traversing inward - and if we didn't then there is most likely a connection problem. Of course, if this all fails, you can always "ping -t x.x.x.x" happy Good Luck X
0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

RE: Data Monitor (or other) to monitor possible device down

Have you used the Moving Average data monitor? It will allow you to create events on throughput deviations of x%, and create rule that alert you to the condition. For example, if your firewall averages ~100 eps, and it drops to ~50 eps, you can be alerted. Bob
0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

RE: Data Monitor (or other) to monitor possible device down

I personally find the moving average monitors to report too many false positives (or false negatives in this case). Our system has a core working hours of 8 to 5, and can vary widely during the day. X
0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

RE: Data Monitor (or other) to monitor possible device down

I have a dashboard with a moving average data monitor for each of my agents. I can easily look at that and see a drop in event flow. Also see increases as well that may indicate something else may be going on. It doens't work very well for the IDS Database agents, to determine if a sensor is down, but for the firewall syslog agents it is a good indication.
0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

RE: Data Monitor (or other) to monitor possible device down

I don't like the moving average concept either. I have found many cases where the data monitor showed something was down when it wasn't. Sometimes the agent was caching events. Sometimes the database was having issues but the agent was still getting events. That is a whole other issue, but nevertheless I don't like the moving average. Too many false positives. I heard that 3.1 is going to have a better mechanism for watching agents/devices go up and down. Anyone know about what the next version is going to have.
0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.