Thresholds

<< Click to Display Table of Contents >>

Navigation:  Working with EventSentry > Actions > Action Options >

Thresholds

Thresholds

You can limit the number of events that are passed on to an action using filter thresholds, which works well in most scenarios and offers a lot of advanced configuration settings for threshold settings (e.g. event log logging etc.).

 

In some cases it might be more desirable to apply a limit to an action instead. This is useful when you have a large amount of filters sending events to an action (and it would be time-consuming to setup thresholds on all of them), or if you have an action (e.g. a pager) where you need to ensure that only a limited number of events are forwarded to the action.

 

By setting limits on actions, you can ensure that the action will at most be triggered the set amount of times in the configured time period, regardless of how many events are being passed to the action by one or more filters. Click the Options button to set an action threshold.

 

Action thresholds can either be evaluated on the agent or on the collector (if a collector is enabled). When set to "Enabled (collector)", the threshold is global and applies to all emails sent by the collector. As such, a limit of "10 per 1 hour" would result in no more than 10 emails being sent in an hour. If the same threshold is configured for "Enabled (agent)", the threshold is evaluated on the agent and means that no more than 10 emails will be sent by each agent - which could result in more than 10 emails being sent by multiple agents.

 

It is important to understand that an action limit does not apply to the number of events, but instead to the number of times the action is triggered. For example, if you set a limit to an Email action, then the limit will apply to the number of emails, not the number of events inside the emails. As such, the action limit feature works differently depending on the type of action that is being triggered. Please see the list below for more details on how the action limit works for different action types:

 

clip0240

Action Type

Per Event

Per Trigger (Detail)

Email (SMTP)

-

Yes (per email)

Pager (SNPP)

-

Yes (per connection to SNPP server)

Database

-

Yes (per connection to database server)

Syslog

-

Yes (per connections to Syslog server)

File

Yes

-

Parallel

Yes

-

Network Message

Yes

-

Process

Yes

-

Sound

Yes

-

Desktop

Yes

-

Jabber

Yes

-

SNMP

Yes

-

Service

Yes

-

Shutdown

Yes

-

 

Action Thresholds with collector

Note the following when using collector-side action thresholds:

 

Collector-side action thresholds are currently only supported for the SMTP action.

If an email is the last email before the threshold is exceeded, the email subject will begin with [THRESHOLD REACHED] to indicate that some emails may be suppressed.

 

Frequency

By default, the email, pager and database actions forward events to the configured server every 5 seconds. This interval can be increased for the purpose of aggregating events. For example, instead of getting 3 emails within a minute each including a single event, you can get 1 email every minute which contains all three events. This feature is mostly useful for the email and database action.