Proteggiamo il tuo ambiente digitale da qualsiasi attacco informatico. Sfrutta tutte le potenzialità della piattaforma SGBox!

Gallery

Contatti

Via Melchiorre Gioia, 168 - 20125 Milano

info@sgbox.it

+39 02 60830172

Linkedin Facebook-f Twitter

Search another article?

Created On
Print
You are here:
< Back

SGBox Alerts

In order to guarantee  the correct health of SGBox system, you can set different alerts:

Requirements:

Connect at the SGBox web interface on SCM > Advanced Options
SGBox Alerts

  1. Disk Full: send an alert if the threshold is exceeded
  2. Load Average: send an alert if the load average is greater than the specified value
  3. Collector log file: send and alert if the collector queue has more items than the specified value
  4. Agent Inactive: send and alert if the agent do not contact SGBox for more than the the specified minutes

Here the details and the message received for every options:

Disk Full

Here the email you can receive if the threshold is exceeded:

Your SGBox storage utilization is higher than the configured threshold (current: 94% / threshold: 85%)
This message will be sent every hour.
To free up storage you can change the retention of the online, event or  RAW logs to remove old logs.
You can of course resize your HDD using the CLI interface by logging in with the 'cli' user to reserve more space to your logs.
If you think that 85% is not a correct threshold you can modify this value in SCM > Advanced options > Disk full at X% to avoid this message.
Don't forget that if you raise too much the threshold the disk could quickly become full and you won't be able to collect logs anymore, potentially damaging SGBox.
Please refer to this link http://www.sgbox.it/knowledge-base/extend-full-disk/ for more information on resizing the SGBox HDD.
Refer to this link http://www.sgbox.it/knowledge-base/sgbox-data-retention/ for more information on data retention.

Warning: filling up your HDD could lead to unexpected SGBox behavior or damage your SGBox installation. Avoid this situation.
Warning: assigning a too short retention to your RAW logs could lead you to violate your country regulations, if you are using SGBox to manage your logs in compliance with them. Change the retention period of the RAW logs with care. Please perform a backup of your data before changing the retention period.You can use one of the SGBox backup applications to perform backups (SCM > Applications > Backup)
Note on HDD resize: depending on your virtualization platform, SGBox may need a restart to detect the new HDD size.

Load Average

Here the email you can receive if the threshold is exceeded:

Your SGBox CPU and I/O utilization (load average) is higher than the configured threshold (current: 3.46 / threshold: 3)
This message will be sent every hour.
This could be a normal behaviour caused by an high log collection rate.
If you see this message more than 3 consecutive times or randomly during the day, please consider to increase the hardware resources of your SGBox instance.
If you think that 3.46 is a correct load average, you can modify the threshold value in SCM > Advanced options > Load Average > X to avoid this message<

Not Received Logs

Here the email you can receive if the threshold is exceeded:
SGBox Alerts

This email will be sent every 5 minutes for all the hosts. If you want to set a custom value for a specific host or stop the alert after a while you can go on: SCM > Network > Hosts. Select the involved host and click on “Alert Log“.
Specify the “Minimum time” that could be different from the default and the “Maximum time“. After the Max time no alert will be sent for the specified host.
SGBox Alerts

Collector Logs

Here the email you can receive if the threshold is exceeded:

Collector main queue contains 900 items
This message was sent because the SGBox main queue is collecting data that is ordered too slowly.
This could be a temporary problem, but if this message occurs frequently,
we recommend to check if your hardware is adequate for the amount of logs you are sending to SGBox.

You can check it also by using the SGTop
SGBox Alerts

You can set and higher value or check the troubleshooting section in order to solve the problem.

Engine Logs

Here the email you can receive the the load average threshold is exceeded:

This message was automatically generated by SGBox because a log messages queue has become busy.
LOG_input_default queue contains 20 items
This problem does not require immediate action. Just check if log flow looks normal by connecting to the SGBox web interface and navigate to LM->Analysis->Class/pattern analysis and erify if your events look consistent.
If you receive this message too often, please check if your hardware is adequate for the amount of logs you are sending to SGBox.

SGBox Alerts

Agents Inactive

In order to receive the notification the agent must be selected in: SCM > Network > Host in the tab “Agent Status“.
SGBox Alerts
Here the email you can receive if the threshold is exceeded:

The following agents have been inactive for at least 12 minutes
Last connection Delta Last sent log Delta Host Hostname Network Network description
-------------------------------------------------------------------------------------------------------------------------
2020-10-27 13:30:39 898730m 2020-10-27 13:30:33 898730m WIN7 WIN7 Host LM Host rilevati da LM
2021-06-10 15:45:48 573155m 2021-06-10 15:45:56 573155m LAB2-WIN LAB2-WIN Host LM Host rilevati da LM
Tags: