Health Notifications
Health notifications can alert you, subscribed users, or a third-party application when an agent, appliance, or API collector is collecting data or offline (unhealthy).
Key concepts
Notifications: The Notifications feature in the Alert Logic console can alert you, subscribed users, or a third-party application when health statuses that meet the set criteria occur. Notifications to a third-party application require a templated connection.
Collection assets: Collection assets are the class of assets that collect information in your environment and transfer that data to Alert Logic for analysis.
Types of collection assets
| Type | Description |
|---|---|
| Alert Logic agent |
Alert Logic provides an agent that gathers data that Alert Logic must collect for analysis, such as log messages and network traffic, as well as metadata and host identification information. You must download the agent, and then deploy it to each host you want to monitor, or collect log messages. Alert Logic provides agents for Windows and Linux hosts. For more information, see Requirements for the Alert Logic Agent. |
| Appliance |
The Alert Logic Network IDS appliance is a physical or virtual appliance that gathers network data and enables network scanning. The Alert Logic Managed Web Application Firewall (WAF) appliance is a physical or virtual appliance that provides WAF services. The Alert Logic Log Manager appliance is a physical appliance for log management services. The Appliance asset type also includes remote collectors installed on hosts for syslog data collection. For more information, see Alert Logic Requirements for Virtual and Physical Appliances. |
| API Collector |
Alert Logic offers integration with applications, including API-based integration with SaaS applications and passive log collecting through syslog forwarding with most firewall platforms. Available applications include products for authentication, productivity, management, and more. Alert Logic serves as a remote collector to receive log data from SaaS and firewall applications related to different incident types, depending on the product type. For more information on configuring API collectors, see Application Registry. |
Open the Create a Health Notification page
You can create a health notification from the Health page or the Notifications page. Whichever method you use, the process is the same after you open the Create a Health Notification page.
To create a health notification from the Health page:
- In the Alert Logic console, click the menu icon (
). - Click
Respond, and then click Health to access the Health page. - Click
NOTIFICATIONS, and then click Create a Notification. - Complete the fields as described in Create a Health Notification.
To create a health notification from the Notifications page:
- In the Alert Logic console, click the menu icon ().
- Click
Manage, and then click Notifications to access the Notifications page. - On the Alert Notifications tab, click the add icon (
), and then click Health. - Complete the fields as described in Create a Health Notification.
Create a Health Notification
To create a health notification, you enter details about the notification, set the scope for the notification, and then configure delivery. For more information on collection asset statuses and the types of exposures and remediations associated with each, see Health notification to exposures and remediations map.
To enter details about the health notification:
- Type a descriptive name for the health notification.
- Choose whether you want the notification to be active. Turn it off if you want to save the definition but not receive notifications.
- Choose one type of collection asset. For more information about collection assets, see Types of collection assets.
- Click NEXT.
To set the scope of the health notification:
- Select one or more statuses for the collection asset. For more information on collection asset statuses and the types of exposures and remediations associated with each, see Health notification to exposures and remediations map.
- Select an asset from the table or use the filter to narrow down the asset you want to select.
You must select one or more asset scopes. If no asset scope is selected, you will not receive notifications.
- Under Settings, select On to enable notifications, and then click APPLY. Leave Off if you do not want notifications enabled for the asset selected.
- Click NEXT.
To configure delivery for the health notification:
- (Optional) Set preferences for delaying or suppressing notifications:
- Delay—Use the delay preference to prevent notifications for health exposures that you anticipate, or that have a history of automatically resolving within a set amount of time. Health exposures that are resolved before the set delay do not result in a notification. If you set the delay to one hour for an agent offline status, you will not receive a notification unless the status persists for more than one hour.
- Suppression—Use the suppression preference to prevent mass email notifications for notification rules that you anticipate, or that have a history of occurring multiple times at once. Alert Logic suppresses notifications after the first for this rule for the set amount of time. If you set suppression to one hour for an agent offline status and 25 agents went offline simultaneously, you would receive only the first notification. You only receive future notifications if a new agent goes offline after the one-hour suppression. With no suppression set, you would receive all 25 notifications.
- Delay—Use the delay preference to prevent notifications for health exposures that you anticipate, or that have a history of automatically resolving within a set amount of time. Health exposures that are resolved before the set delay do not result in a notification.
- To subscribe users to receive a notification email, click User(s), and then, under Notification Delivery, select the users that you want to receive the notification. You can use the search bar to help you find recipients.
- To subscribe a templated connection, click Templated Connection, and then, under Notification Delivery, select a configured templated connection. For more information about configuring and using templated connections, see Templated Connections Configuration Guide.
- (Optional) Customize the Email Subject.
- Click SAVE.
View and manage Health notifications
You can view and manage health notifications from the Notifications page. See Manage Notifications for information about how to:
- Filter the list of notifications
- View notification details
- Edit notifications
- Delete notifications
Receiving a Health notification
After you receive a notification, you can click INVESTIGATE to link directly to the specific remediation detail page associated with the health exposure. The remediation detail page is part of the Health console. For more information, see Open the remediation detail page.
Health notification to exposures and remediations map
| Collection Asset Type | Collection Asset Status | Exposure Names | Remediation Names |
|---|---|---|---|
| Agent | Offline | Alert Logic Agent is Offline | Enable the agent on this host |
| Not Collecting | No logs have been received from the agent on this host for over 24 hours. | Verify Agent Configuration Does Not Prevent Log Traffic | |
| No IDS traffic has been received from the agent on this host for over 24 hours. | Verify Agent Configuration Does Not Prevent IDS Traffic | ||
| Appliance | Offline | The Alert Logic appliance is offline or unable to reach Alert Logic. | Re-enable this appliance |
| Not Collecting | No traffic or logs have been received from the appliance for an extended period of time (default of 24hrs). | Verify Appliance Configuration Does Not Prevent IDS Traffic | |
| Verify Appliance Configuration Does Not Prevent Log Collection | |||
| Collector | Offline | Collector reports an error communicating application API (offline). | Verify collector configuration and credentials |
| Not Collecting | Collector hasn't collected any data for the last 24 hours. |