[ { "rule": "macros.device_down = \"1\"", "name": "Devices up/down" }, { "rule": "macros.device_down = \"1\" && devices.status_reason = \"icmp\"", "name": "Device Down! Due to no ICMP response.", "default": true }, { "rule": "macros.device_down = \"1\" && devices.status_reason = \"snmp\"", "name": "SNMP not responding on Device - Check on SNMP Service - Device marked Down!", "default": true }, { "rule": "devices.uptime < \"300\" && macros.device = \"1\"", "name": "Device rebooted", "extra": "{\"count\": 1}", "default": true }, { "rule": "bgpPeers.bgpPeerState != \"established\" && macros.device_up = \"1\" && bgpPeers.bgpPeerAdminStatus != \"stop\"", "name": "BGP Session down", "extra": "{\"count\": 1}" }, { "builder": {"condition":"AND","rules":[{"id":"isis_adjacencies.isisISAdjState","field":"isis_adjacencies.isisISAdjState","type":"string","input":"text","operator":"equal","value":"down"},{"condition":"AND","rules":[{"id":"component.type","field":"component.type","type":"string","input":"text","operator":"equal","value":"ISIS"},{"condition":"AND","rules":[{"id":"component.ignore","field":"component.ignore","type":"string","input":"text","operator":"equal","value":"0"},{"id":"component.disabled","field":"component.disabled","type":"string","input":"text","operator":"equal","value":"0"}]}]},{"id":"macros.device_up","field":"macros.device_up","type":"integer","input":"radio","operator":"equal","value":"1"}],"valid":true}, "name": "ISIS Adjacency down" }, { "rule": "bgpPeers.bgpPeerFsmEstablishedTime < \"300\" && bgpPeers.bgpPeerState = \"established\" && macros.device_up = \"1\"", "name": "BGP Session established", "extra": "{\"count\": 1}" }, { "rule": "macros.port_down = \"1\"", "name": "Port status up/down", "extra": "{\"count\": 1}", "default": true }, { "rule": "devices.last_ping_timetaken > \"10\"", "name": "Ping Latency", "default": true }, { "rule": "macros.port_usage_perc >= \"80\" && macros.port_up = \"1\"", "name": "Port utilisation over threshold", "default": true }, { "rule": "sensors.sensor_current > `sensors.sensor_limit` && sensors.sensor_alert = \"1\" && macros.device_up = \"1\"", "name": "Sensor over limit - Check Device Health Settings", "default": true }, { "rule": "sensors.sensor_current < `sensors.sensor_limit_low` && sensors.sensor_alert = \"1\" && macros.device_up = \"1\"", "name": "Sensor under limit - Check Device Health Settings", "default": true }, { "rule": "services.service_status != \"0\" && macros.device_up = \"1\"", "name": "Service up/down", "default": true }, { "rule": "wireless_sensors.sensor_current >= `wireless_sensors.sensor_limit` && wireless_sensors.sensor_alert = \"1\" && macros.device_up = \"1\"", "name": "Wireless Sensor over limit", "default": true }, { "rule": "wireless_sensors.sensor_current <= `wireless_sensors.sensor_limit_low` && wireless_sensors.sensor_alert = \"1\" && macros.device_up = \"1\"", "name": "Wireless Sensor under limit", "default": true }, { "rule": "wireless_sensors.sensor_type == \"arubaos\" && wireless_sensors.sensor_class == \"ap-count\" && wireless_sensors.sensor_alert = \"1\" && macros.device_up = \"1\" && wireless_sensors.sensor_current <= `wireless_sensors.sensor_limit_low_warn` && wireless_sensors.sensor_current > `wireless_sensors.sensor_limit_low`", "name": "Aruba Wireless AP Count Low Warning", "severity": "warning" }, { "rule": "wireless_sensors.sensor_type == \"arubaos\" && wireless_sensors.sensor_class == \"ap-count\" && wireless_sensors.sensor_alert = \"1\" && macros.device_up = \"1\" && wireless_sensors.sensor_current <= `wireless_sensors.sensor_limit_low`", "name": "Aruba Wireless AP Count Low Critical", "severity": "critical" }, { "rule": "macros.state_sensor_critical && sensors.sensor_alert = 1", "name": "State Sensor Critical", "default": true }, { "rule": "macros.state_sensor_warning && sensors.sensor_alert = 1", "name": "State Sensor Warning" }, { "rule": "macros.bill_quota_over_quota >= \"75\"", "name": "Quota bills over 75% used" }, { "rule": "macros.bill_cdr_over_quota >= \"75\"", "name": "CDR bills over 75% used" }, { "rule": "ipsec_tunnels.tunnel_status != \"active\" && macros.device_up = \"1\"", "name": "IPSec tunnels down" }, { "rule": "devices.last_polled_timetaken >= 290", "name": "Device took too long to poll" }, { "rule": "macros.device_up = \"1\" && devices.os = \"asa\" && ciscoASA.data > \"5000\"", "name": "Cisco ASA connections over 5000" }, { "rule": "processors.processor_usage > \"85\" && macros.device_up = \"1\"", "name": "Processor usage over 85%" }, { "rule": "sensors.sensor_descr = \"Primary Unit.*\" && sensors.sensor_current = \"10\" && sensors.sensor_prev = \"9\"", "name": "Cisco ASA Primary unit changed to standby" }, { "rule": "ports.ifOperStatus = \"down\" && ports.ifOperStatus_prev = \"up\" && macros.device_up = \"1\"", "name": "Port status change from up to down" }, { "rule": "ports.ifOutErrors_rate >= \"100\" || ports.ifInErrors_rate >= \"100\"", "name": "Interface Errors Rate greater than 100" }, { "rule": "devices.inserted >= `macros.past_60m`", "name": "Device added within the last 60 minutes" }, { "rule": "eventlog.type = \"discovery\" && eventlog.message ~ \"@autodiscovered@\" && eventlog.datetime >= `macros.past_60m`", "name": "Device discovered within the last 60 minutes" }, { "rule": "wireless_sensors.sensor_class = \"clients\" && wireless_sensors.sensor_current >= `wireless_sensors.sensor_limit` && wireless_sensors.sensor_alert = \"1\" && macros.device_up = \"1\"", "name": "Too many wireless clients" }, { "rule": "syslog.timestamp >= `macros.past_5m` && syslog.msg ~ \"@authentication failure@\"", "name": "Syslog, Authentication failure on Device" }, { "rule": "services.service_status = \"1\"", "name": "Service warning" }, { "rule": "services.service_status = \"2\"", "name": "Service critical" }, { "rule": "syslog.timestamp >= `macros.past_5m` && syslog.priority ~ \"alert\"", "name": "Syslog, received Alert Priority Message" }, { "rule": "syslog.timestamp >= `macros.past_5m` && syslog.priority ~ \"emergency\"", "name": "Syslog, received Emergency Priority Message" }, { "rule": "syslog.timestamp >= `macros.past_5m` && syslog.msg ~ \"@arp table is full@\"", "name": "Syslog, ARP table is full check on device " }, { "rule": "sensors.sensor_type = \"upsAdvBatteryReplaceIndicator\" && sensors.sensor_current = \"2\"", "name": "APC UPS Battery Needs Replacement" }, { "builder": {"condition":"AND","rules":[{"id":"sensors.sensor_type","field":"sensors.sensor_type","type":"string","input":"text","operator":"equal","value":"upsAdvTestDiagnosticsResults"},{"condition":"OR","rules":[{"id":"sensors.sensor_current","field":"sensors.sensor_current","type":"string","input":"text","operator":"equal","value":"2"},{"id":"sensors.sensor_current","field":"sensors.sensor_current","type":"string","input":"text","operator":"equal","value":"3"}]}],"valid":true}, "name": "APC UPS Diagonstics Test Result" }, { "builder": {"condition":"AND","rules":[{"condition":"AND","rules":[{"id":"sensors.sensor_current","field":"sensors.sensor_current","type":"string","input":"text","operator":"equal","value":"3"},{"id":"sensors.sensor_type","field":"sensors.sensor_type","type":"string","input":"text","operator":"equal","value":"upsBasicOutputStatus"}]},{"condition":"AND","rules":[{"id":"sensors.sensor_current","field":"sensors.sensor_current","type":"string","input":"text","operator":"not_equal","value":"4"},{"id":"sensors.sensor_type","field":"sensors.sensor_type","type":"string","input":"text","operator":"equal","value":"upsAdvTestDiagnosticsResults"}]}],"valid":true}, "name": "APC UPS Switched to Battery Power" }, { "rule": "sensors.sensor_current = \"10\" && sensors.sensor_type = \"upsBasicOutputStatus\"", "name": "APC UPS in Hardware Failure Bypass Mode" }, { "rule": "sensors.sensor_current = \"16\" && sensors.sensor_type = \"upsBasicOutputStatus\"", "name": "APC UPS in Emergency Static Bypass Mode" }, { "rule": "sensors.sensor_current = \"12\" && sensors.sensor_type = \"upsBasicOutputStatus\"", "name": "APC UPS in Smart Trim Mode" }, { "rule": "sensors.sensor_oid ~ \".1.3.6.1.4.1.11.2.14.11.1.2.6.1.4.[2-5]\" && sensors.sensor_current = \"2\"", "name": "HP Procurve Bad Power Supply" }, { "rule": "sensors.sensor_oid = \".1.3.6.1.4.1.11.2.14.11.1.2.6.1.4.1\" && sensors.sensor_current = \"2\"", "name": "HP Procurve Fan Fault" }, { "rule": "sensors.sensor_current > `sensors.sensor_limit` && sensors.sensor_alert = \"1\" && macros.device_up = \"1\" && macros.sensor_port_link = \"1\"", "name": "Sensor over limit with linked port" }, { "rule": "sensors.sensor_current < `sensors.sensor_limit_low` && sensors.sensor_alert = \"1\" && macros.device_up = \"1\" && macros.sensor_port_link = \"1\"", "name": "Sensor under limit with linked port" }, { "rule": "sensors.sensor_current = \"4\" && sensors.sensor_type = \"upsOutputSourceState\"", "name": "UPS is running on the bypass" }, { "rule": "sensors.sensor_current = \"5\" && sensors.sensor_type = \"upsOutputSourceState\"", "name": "UPS is running on the battery" }, { "rule": "sensors.sensor_current = \"3\" && sensors.sensor_type = \"upsBatteryStatusState\"", "name": "UPS has a low battery" }, { "rule": "sensors.sensor_current = \"4\" && sensors.sensor_type = \"upsBatteryStatusState\"", "name": "UPS has a depleted battery" }, { "rule": "sensors.sensor_descr ~ \"Percentage load\" && sensors.sensor_current >= \"90\" && sensors.sensor_type = \"rfc1628\"", "name": "UPS has a heavy load" }, { "rule": "sensors.sensor_current ~ \"[3-4]\" && sensors.sensor_oid = \".1.3.6.1.4.1.232.3.2.5.1.1.37.\"", "name": "HPE iLo Server drive degraded/failure" }, { "rule": "sensors.sensor_current ~ \"[3-4]\" && sensors.sensor_oid = \".1.3.6.1.4.1.232.6.2.9.3.1.4.\"", "name": "HPE iLo Server Power Supply degraded/failure" }, { "rule": "sensors.sensor_current ~ \"[3-4]\" && sensors.sensor_oid = \".1.3.6.1.4.1.232.6.2.6.7.1.9.\"", "name": "HPE iLo Server Fan degraded/failure" }, { "rule": "sensors.sensor_current ~ \"[3-4]\" && sensors.sensor_oid = \".1.3.6.1.4.1.232.1.2.2.1.1.6.\"", "name": "HPE iLo Server CPU degraded/failure" }, { "rule": "sensors.sensor_current ~ \"[3-4]\" && sensors.sensor_oid = \".1.3.6.1.4.1.232.6.2.14.13.1.20.\"", "name": "HPE iLo Server Memory degraded/failure" }, { "rule": "applications.app_type = \"os-updates\" && applications.app_status >= \"10\"", "name": "Applications OS-Updates, New Updates Available" }, { "rule": "devices.os = \"hpblmos\" && sensors.sensor_type = \"hpblmos_psustate\" && sensors.sensor_current = \"[3-4]\"", "name": "HPE BladeSystem has a bad power supply" }, { "rule": "devices.os = \"hpblmos\" && sensors.sensor_type = \"hpblmos_fanstate\" && sensors.sensor_current = \"[3-4]\"", "name": "HPE BladeSystem has a bad fan" }, { "rule": "devices.os = \"axiscam\" && sensors.sensor_type = \"tempSensorStatusState\" && sensors.sensor_current = \"2\"", "name": "AXIS camera has a failed temperature sensor" }, { "rule": "devices.os = \"rittal-lcp\" && sensors.sensor_type = \"cmcIIIUnitStatus\" && sensors.sensor_current = \"2\"", "name": "RITTAL LCP has a failed status" }, { "rule": "devices.os = \"rittal-lcp\" && sensors.sensor_type = \"cmcIIIUnitStatus\" && sensors.sensor_current = \"3\"", "name": "RITTAL LCP has an overloaded status" }, { "rule": "devices.os = \"dsm\" && sensors.sensor_type = \"systemStatusState\" && sensors.sensor_current = \"2\"", "name": "Synology NAS has a failed status" }, { "rule": "devices.os = \"dsm\" && sensors.sensor_type = \"powerStatusState\" && sensors.sensor_current = \"2\"", "name": "Synology NAS has a failed power status" }, { "rule": "devices.os = \"dsm\" && sensors.sensor_type = \"systemFanStatusState\" && sensors.sensor_current = \"2\"", "name": "Synology NAS has a failed fan status" }, { "rule": "devices.os = \"dsm\" && sensors.sensor_type = \"cpuFanStatusState\" && sensors.sensor_current = \"2\"", "name": "Synology NAS has a failed CPU fan status" }, { "rule": "devices.os = \"dsm\" && sensors.sensor_type = \"upgradeAvailableState\" && sensors.sensor_current = \"1\"", "name": "Synology NAS has a new upgrade available" }, { "rule": "devices.os = \"dsm\" && sensors.sensor_type = \"raidStatusState\" && sensors.sensor_current = \"[11-12]\"", "name": "Synology NAS has a bad RAID status" }, { "rule": "devices.os = \"dsm\" && sensors.sensor_type = \"diskStatusState\" && sensors.sensor_current = \"[4-5]\"", "name": "Synology NAS has a bad disk status" }, { "rule": "devices.os = \"f5\" && sensors.sensor_type = \"sysChassisPowerSupplyStatus\" && sensors.sensor_current = \"0\"", "name": "F5 appliance has a bad power supply" }, { "rule": "devices.os = \"f5\" && sensors.sensor_type = \"sysChassisFanStatus\" && sensors.sensor_current = \"0\"", "name": "F5 appliance has a bad fan" }, { "rule": "devices.os = \"nxos\" && sensors.sensor_type = \"cefcFanTrayOperStatus\" && sensors.sensor_current = \"[3-4]\"", "name": "Cisco NX-OS device has a bad fan" }, { "rule": "devices.os = \"panos\" && sensors.sensor_type = \"panSysHAState\" && sensors.sensor_current = \"1\" && sensors.sensor_prev = \"2\"", "name": "Palo Alto Networks passive firewall changed to active" }, { "rule": "sensors.sensor_current = \"2\" && sensors.sensor_oid = \".1.3.6.1.4.1.25506.8.35.9.1.1.1.2\"", "name": "Comware Fan Status failed" }, { "rule": "sensors.sensor_current = \"2\" && sensors.sensor_oid = \".1.3.6.1.4.1.25506.8.35.9.1.2.1.2\"", "name": "Comware PSU status failed" }, { "rule": "sensors.sensor_current = \"9\" && sensors.sensor_oid = \".1.3.6.1.4.1.9.9.13.1.4.1.3\"", "name": "Cisco Fan Status failed " }, { "rule": "sensors.sensor_current = \"8\" && sensors.sensor_oid = \".1.3.6.1.4.1.9.9.13.1.5.1.3\"", "name": "Cisco PSU status failed" }, { "builder": {"condition":"AND","rules":[{"id":"sensors.sensor_alert","field":"sensors.sensor_alert","type":"string","input":"text","operator":"equal","value":"1"},{"condition":"OR","rules":[{"id":"sensors.sensor_descr","field":"sensors.sensor_descr","type":"string","input":"text","operator":"regex","value":".*Power Supply.*"},{"id":"sensors.sensor_descr","field":"sensors.sensor_descr","type":"string","input":"text","operator":"regex","value":".*PEM.*"},{"id":"sensors.sensor_descr","field":"sensors.sensor_descr","type":"string","input":"text","operator":"regex","value":".*PSU.*"}]},{"condition":"OR","rules":[{"id":"macros.state_sensor_warning","field":"macros.state_sensor_warning","type":"boolean","input":"radio","operator":"equal","value":"1"},{"id":"macros.state_sensor_critical","field":"macros.state_sensor_critical","type":"boolean","input":"radio","operator":"equal","value":"1"}]}],"valid":true}, "name": "Generic PSU status failed" }, { "rule": "sensors.sensor_current = \"3\" && sensors.sensor_oid = \".1.3.6.1.4.1.4413.1.1.43.1.15.1.2.1\"", "name": "UBNT EdgeSwitch Chassis state failed" }, { "rule": "devices.os = \"Netscaler\" && sensors.sensor_type = \"sysHighAvailabilityMode\" && sensors.sensor_current != `sensors.sensor_prev` && sensors.lastupdate < \"DATE_SUB(NOW(),INTERVAL 5 MINUTE)\" && macros.device_up = \"1\"", "name": "Netscaler HA node mode change" }, { "rule": "devices.os = \"Netscaler\" && sensors.sensor_type = \"haCurState\" && sensors.sensor_current ~ \"[1|8|9]\" && macros.device_up = \"1\"", "name": "Netscaler HA node state Warning" }, { "rule": "devices.os = \"Netscaler\" && sensors.sensor_type = \"haCurState\" && sensors.sensor_current ~ \"[2|4|5|7|10|11]\" && macros.device_up = \"1\"", "name": "Netscaler HA node state Critical" }, { "rule": "%applications.app_type='portactivity' && %applications_metrics.ssh_total_to>'5'", "name": "SSH Connections To" }, { "rule": "%applications.app_type='portactivity' && %applications_metrics.http_total_to>'100'", "name": "HTTP Connections To" }, { "rule": "%applications.app_type='portactivity' && %applications_metrics.https_total_to>'100'", "name": "HTTPS Connections To" }, { "rule": "%applications.app_type='portactivity' && %applications_metrics.smtp_total_from>'10'", "name": "SMTP Connections From" }, { "rule": "%applications.app_type='portactivity' && %applications_metrics.smtp_total_to>'30'", "name": "SMTP Connections To" }, { "rule": "%applications.app_type='portactivity' && %applications_metrics.ftp_total_to>'5'", "name": "FTP Connections To" }, { "rule": "%applications.app_type='portactivity' && %applications_metrics.imap_total_to>'20'", "name": "IMAP Connections To" }, { "rule": "%applications.app_type='portactivity' && %applications_metrics.imaps_total_to>'20'", "name": "IMAPS Connections To" }, { "rule": "%applications.app_type='portactivity' && %applications_metrics.imaps_total_from>'0'", "name": "IRCD Connections From" }, { "rule": "customoids.customoid_current >= `customoids.customoid_limit` && customoids.customoid_alert = \"1\" && macros.device_up = \"1\"", "name": "CustomOID over limit" }, { "rule": "customoids.customoid_current <= `customoids.customoid_limit_low` && customoids.customoid_alert = \"1\" && macros.device_up = \"1\"", "name": "CustomOID under limit" }, { "rule": "customoids.customoid_current >= `customoids.customoid_limit_warn` && customoids.customoid_alert = \"1\" && macros.device_up = \"1\"", "name": "CustomOID over warning limit", "severity": "warning" }, { "rule": "customoids.customoid_current <= `customoids.customoid_limit_low_warn` && customoids.customoid_alert = \"1\" && macros.device_up = \"1\"", "name": "CustomOID under warning limit", "severity": "warning" }, { "rule": "applications.app_type = \"ups-nut\" && state_indexes.state_name = \"UPSOnBattery\" && macros.state_sensor_warning = 1", "name": "UPS-NUT on battery" }, { "rule": "applications.app_type = \"ups-nut\" && state_indexes.state_name = \"UPSLowBattery\" && macros.state_sensor_critical = 1", "name": "UPS-NUT low battery" }, { "rule": "applications.app_type = \"ups-nut\" && state_indexes.state_name = \"UPSHighBattery\" && macros.state_sensor_warning = 1", "name": "UPS-NUT high battery" }, { "rule": "applications.app_type = \"ups-nut\" && state_indexes.state_name = \"UPSBatteryReplace\" && macros.state_sensor_warning = 1", "name": "UPS-NUT battery needs to be replaced" }, { "rule": "applications.app_type = \"ups-nut\" && state_indexes.state_name = \"UPSBatteryCharging\" && macros.state_sensor_warning = 1", "name": "UPS-NUT battery is charging" }, { "rule": "applications.app_type = \"ups-nut\" && state_indexes.state_name = \"UPSBatteryDischarging\" && macros.state_sensor_warning = 1", "name": "UPS-NUT battery is discharging" }, { "rule": "applications.app_type = \"ups-nut\" && state_indexes.state_name = \"UPSUPSBypass\" && macros.state_sensor_warning = 1", "name": "UPS-NUT bypass circuit is active" }, { "rule": "applications.app_type = \"ups-nut\" && state_indexes.state_name = \"UPSRuntimeCalibration\" && macros.state_sensor_warning = 1", "name": "UPS-NUT performing runtime calibration" }, { "rule": "applications.app_type = \"ups-nut\" && state_indexes.state_name = \"UPSOffline\" && macros.state_sensor_critical = 1", "name": "UPS-NUT offline and is not supplying power to the load" }, { "rule": "applications.app_type = \"ups-nut\" && state_indexes.state_name = \"UPSUPSOverloaded\" && macros.state_sensor_critical = 1", "name": "UPS-NUT overloaded" }, { "rule": "applications.app_type = \"ups-nut\" && state_indexes.state_name = \"UPSUPSBuck\" && macros.state_sensor_warning = 1", "name": "UPS-NUT trimming incoming voltage" }, { "rule": "applications.app_type = \"ups-nut\" && state_indexes.state_name = \"UPSUPSBoost\" && macros.state_sensor_warning = 1", "name": "UPS-NUT boosting incoming voltage" }, { "rule": "applications.app_type = \"ups-nut\" && state_indexes.state_name = \"UPSForcedShutdown\" && macros.state_sensor_critical = 1", "name": "UPS-NUT trimming incoming voltage" }, { "rule": "devices.os = \"qnap\" && sensors.sensor_type = \"systemPowerStatus\" && sensors.sensor_current = \"-1\"", "name": "QNAP NAS has a failed power status" }, { "rule": "devices.os = \"qnap\" && sensors.sensor_type = \"systemFanStatus\" && sensors.sensor_current = \"-1\"", "name": "QNAP NAS has a failed fan status" }, { "rule": "devices.os = \"qnap\" && sensors.sensor_type = \"raidStatus\" && sensors.sensor_current != \"0\"", "name": "QNAP NAS has a bad RAID status" }, { "rule": "devices.os = \"qnap\" && sensors.sensor_type = \"diskSmartInfo\" && sensors.sensor_current != \"0\"", "name": "QNAP NAS has a bad SMART disk status" }, { "rule": "eventlog.message ~ \"Deleted\" && eventlog.datetime >= `DATE_SUB(NOW(),INTERVAL 12 Hour)`", "name": "A Device sensor has been deleted" }, { "name": "Unpolled Devices", "builder": {"condition":"AND","rules":[{"id":"macros.device","field":"macros.device","type":"integer","input":"radio","operator":"equal","value":"1"},{"id":"devices.last_polled","field":"devices.last_polled","type":"datetime","input":"text","operator":"less","value":"`DATE_SUB(NOW(), INTERVAL 6 MINUTE)`"}],"valid":true} }, { "builder": {"condition":"AND","rules":[{"id":"ports.ifSpeed","field":"ports.ifSpeed","type":"string","input":"text","operator":"greater","value":"0"},{"id":"ports.ifSpeed","field":"ports.ifSpeed","type":"string","input":"text","operator":"less","value":"`ports.ifSpeed_prev`"},{"id":"eventlog.message","field":"eventlog.message","type":"string","input":"text","operator":"begins_with","value":"ifSpeed:"},{"id":"eventlog.datetime","field":"eventlog.datetime","type":"datetime","input":"text","operator":"greater_or_equal","value":"`macros.past_10m`"},{"id":"ports.port_id","field":"ports.port_id","type":"string","input":"text","operator":"equal","value":"`eventlog.reference`"},{"id":"ports.ifOperStatus","field":"ports.ifOperStatus","type":"string","input":"text","operator":"equal","value":"up"},{"id":"ports.disabled","field":"ports.disabled","type":"string","input":"text","operator":"equal","value":"0"}],"valid":true}, "name": "Port Speed Degraded" }, { "rule": "applications.app_type = \"suricata\" && application_metrics.metric = \"alert\" && application_metrics.value = \"1\"", "name": "Suricata has a WARNING alert", "severity": "warning" }, { "rule": "applications.app_type = \"suricata\" && application_metrics.metric = \"alert\" && application_metrics.value = \"2\"", "name": "Suricata has a CRITICAL alert", "severity": "critical" }, { "rule": "applications.app_type = \"suricata\" && application_metrics.metric = \"alert\" && application_metrics.value = \"3\"", "name": "Suricata has a UNKNOWN alert", "severity": "critical" }, { "rule": "applications.app_type = \"suricata\" && application_metrics.metric = \".total_drop_percent\" && application_metrics.value >= \"1\"", "name": "Suricata Packet Drop > 1%", "severity": "warning" }, { "rule": "applications.app_type = \"suricata\" && application_metrics.metric = \".total_drop_percent\" && application_metrics.value >= \"2\"", "name": "Suricata Packet Drop > 2%", "severity": "critical" }, { "rule": "applications.app_type = \"suricata\" && application_metrics.metric = \".total_ifdrop_percent\" && application_metrics.value >= \"1\"", "name": "Suricata Packet If Drop > 1%", "severity": "warning" }, { "rule": "applications.app_type = \"suricata\" && application_metrics.metric = \".total_ifdrop_percent\" && application_metrics.value >= \"2\"", "name": "Suricata Packet If Drop > 2%", "severity": "critical" }, { "rule": "applications.app_type = \"suricata\" && application_metrics.metric = \".total_error_delta\" && application_metrics.value >= \"1\"", "name": "Suricata Packet Error >= 1%", "severity": "warning" }, { "rule": "applications.app_type = \"suricata\" && application_metrics.metric = \".total_error_delta\" && application_metrics.value >= \"2\"", "name": "Suricata Packet Error >= 2%", "severity": "critical" }, { "rule": "applications.app_type = \"mysql\" && applications.app_state != \"OK\"", "name": "MySQL Server not responding", "severity":"critical" }, { "rule": "applications.app_type = \"opensearch\" && application_metrics.metric = \".status\" && application_metrics.value = \"1\"", "name": "Opensearch/Elasticsearch Cluster Status Yellow", "severity": "warning" }, { "rule": "applications.app_type = \"opensearch\" && application_metrics.metric = \".status\" && application_metrics.value = \"2\"", "name": "Opensearch/Elasticsearch Cluster Status Red", "severity": "critical" }, { "rule": "applications.app_type = \"sagan\" && application_metrics.metric = \".total_alert\" && application_metrics.value = \"1\"", "name": "Sagan has a WARNING alert", "severity": "warning" }, { "rule": "applications.app_type = \"sagan\" && application_metrics.metric = \".total_alert\" && application_metrics.value = \"2\"", "name": "Sagan has a CRITICAL alert", "severity": "critical" }, { "rule": "applications.app_type = \"sagan\" && application_metrics.metric = \".total_alert\" && application_metrics.value = \"3\"", "name": "Sagan has a UNKNOWN alert", "severity": "critical" }, { "rule": "applications.app_type = \"sagan\" && application_metrics.metric = \".total_f_drop_percent\" && application_metrics.value >= \"1\"", "name": "Sagan Flow Drop Percent >= 1%", "severity": "warning" }, { "rule": "applications.app_type = \"sagan\" && application_metrics.metric = \".total_f_drop_percent\" && application_metrics.value >= \"2\"", "name": "Sagan Flow Drop Percent >= 2%", "severity": "critical" }, { "rule": "applications.app_type = \"sagan\" && application_metrics.metric = \".total_drop_percent\" && application_metrics.value >= \"1\"", "name": "Sagan Drop Percent >= 1%", "severity": "warning" }, { "rule": "applications.app_type = \"sagan\" && application_metrics.metric = \".total_drop_percent\" && application_metrics.value >= \"2\"", "name": "Sagan Drop Percent >= 2%", "severity": "critical" }, { "rule": "storage.storage_deleted = 0 AND storage.storage_descr = \"/\" AND storage.storage_perc >= 90 AND storage.storage_perc < 95", "name": "Space on / is >= 90% and < 95% in use", "severity":"warning" }, { "rule": "storage.storage_deleted = 0 AND storage.storage_descr = \"/\" AND storage.storage_perc >= 95", "name": "Space on / is >= 95% in use", "severity":"critical" } ]