[ { "rule": "%macros.device_down = \"1\"", "name": "Devices up/down", "default": true }, { "rule": "%devices.uptime < \"300\" && %macros.device = \"1\"", "name": "Device rebooted", "extra": "{\"count\": 1}", "default": true }, { "rule": "%bgpPeers.bgpPeerState != \"established\" && %macros.device_up = \"1\"", "name": "BGP Session down", "extra": "{\"count\": 1}", "default": true }, { "rule": "%bgpPeers.bgpPeerFsmEstablishedTime < \"300\" && %bgpPeers.bgpPeerState = \"established\" && %macros.device_up = \"1\"", "name": "BGP Session established", "extra": "{\"count\": 1}", "default": true }, { "rule": "%macros.port_down = \"1\"", "name": "Port status up/down", "extra": "{\"count\": 1}", "default": true }, { "rule": "%macros.port_usage_perc >= \"80\" && %macros.port_up = \"1\" && %macros.port = \"1\"", "name": "Port utilisation over threshold", "default": true }, { "rule": "%sensors.sensor_current > %sensors.sensor_limit && %sensors.sensor_alert = \"1\" && %macros.device_up = \"1\"", "name": "Sensor over limit", "default": true }, { "rule": "%sensors.sensor_current < %sensors.sensor_limit_low && %sensors.sensor_alert = \"1\" && %macros.device_up = \"1\"", "name": "Sensor under limit", "default": true }, { "rule": "%services.service_status != \"0\" && %macros.device_up = \"1\"", "name": "Service up/down", "default": true }, { "rule": "%wireless_sensors.sensor_current >= %wireless_sensors.sensor_limit && %wireless_sensors.sensor_alert = \"1\" && %macros.device_up = \"1\"", "name": "Wireless Sensor over limit", "default": true }, { "rule": "%wireless_sensors.sensor_current <= %wireless_sensors.sensor_limit_low && %wireless_sensors.sensor_alert = \"1\" && %macros.device_up = \"1\"", "name": "Wireless Sensor under limit", "default": true }, { "rule": "%macros.bill_quota_over_quota >= \"75\"", "name": "Quota bills over 75% used" }, { "rule": "%macros.bill_cdr_over_quota >= \"75\"", "name": "CDR bills over 75% used" }, { "rule": "%ipsec_tunnels.tunnel_status != \"active\" && %macros.device_up = \"1\"", "name": "IPSec tunnels down" }, { "rule": "%pollers.time_taken >= \"250\"", "name": "Poller is taking too long" }, { "rule": "%macros.device_up = \"1\" && %devices.os = \"asa\" && %ciscoASA.data > \"5000\"", "name": "Cisco ASA connections over 5000" }, { "rule": "%processors.processor_usage > \"85\" && %macros.device_up = \"1\"", "name": "Processor usage over 85%" }, { "rule": "%sensors.sensor_descr = \"Primary Unit.*\" && %sensors.sensor_current = \"10\" && %sensors.sensor_prev = \"9\"", "name": "Cisco ASA Primary unit changed to standby" }, { "rule": "%ports.ifOperStatus = \"down\" && %ports.ifOperStatus_prev = \"up\" && %macros.device_up = \"1\"", "name": "Port status change from up to down" }, { "rule": "%ports.ifOutErrors_rate >= \"100\" || %ports.ifInErrors_rate >= \"100\"", "name": "Interface Errors Rate greater than 100" }, { "rule": "%eventlog.type = \"discovery\" && %eventlog.message ~ \"@autodiscovered@\" && %eventlog.datetime >= %macros.past_60m", "name": "Device discovered within the last 60 minutes" }, { "rule": "%wireless_sensors.sensor_class = 'clients' && %wireless_sensors.sensor_current >= %wireless_sensors.sensor_limit && %wireless_sensors.sensor_alert = \"1\" && %macros.device_up = \"1\"", "name": "Too many wireless clients" }, { "rule": "%syslog.timestamp > = %macros.past_5m && %syslog.msg ~ \"@authentication failure@\"", "name": "Syslog, Authentication failure on Device" }, { "rule": "%services.service_status = \"1\"", "name": "Service warning" }, { "rule": "%services.service_status = \"2\"", "name": "Service critical" }, { "rule": "%syslog.timestamp >= %macros.past_5m && %syslog.priority ~ \"alert\"", "name": "Syslog, received Alert Priority Message" }, { "rule": "%syslog.timestamp >= %macros.past_5m && %syslog.priority ~ \"emergency\"", "name": "Syslog, received Emergency Priority Message" }, { "rule": "%syslog.timestamp = %macros.past_5m && %syslog.msg ~ \"@arp table is full@\"", "name": "Syslog, ARP table is full check on device " }, { "rule": "%sensors.sensor_type = \"upsAdvBatteryReplaceIndicator\" && %sensors.sensor_current = \"2\"", "name": "APC UPS Battery Needs Replacement" }, { "rule": "%sensors.sensor_current = \"3\" && %sensors.sensor_type = \"upsBasicOutputStatus\"", "name": "APC UPS Switched to Battery Power" }, { "rule": "%sensors.sensor_current = \"10\" && %sensors.sensor_type = \"upsBasicOutputStatus\"", "name": "APC UPS in Hardware Failure Bypass Mode" }, { "rule": "%sensors.sensor_current = \"16\" && %sensors.sensor_type = \"upsBasicOutputStatus\"", "name": "APC UPS in Emergency Static Bypass Mode" }, { "rule": "%sensors.sensor_current = \"12\" && %sensors.sensor_type = \"upsBasicOutputStatus\"", "name": "APC UPS in Smart Trim Mode" }, { "rule": "%sensors.sensor_oid ~ \".1.3.6.1.4.1.11.2.14.11.1.2.6.1.4.[2-5]\" && %sensors.sensor_current = \"2\"", "name": "HP Procurve Bad Power Supply" }, { "rule": "%sensors.sensor_oid = \".1.3.6.1.4.1.11.2.14.11.1.2.6.1.4.1\" && %sensors.sensor_current = \"2\"", "name": "HP Procurve Fan Fault" }, { "rule": "%sensors.sensor_current > %sensors.sensor_limit && %sensors.sensor_alert = \"1\" && %macros.device_up = \"1\" && %macros.sensor_port_link = \"1\"", "name": "Sensor over limit with linked port" }, { "rule": "%sensors.sensor_current < %sensors.sensor_limit_low && %sensors.sensor_alert = \"1\" && %macros.device_up = \"1\" && %macros.sensor_port_link = \"1\"", "name": "Sensor under limit with linked port" }, { "rule": "%sensors.sensor_current = \"4\" && %sensors.sensor_type = \"upsOutputSourceState\"", "name": "UPS is running on the bypass" }, { "rule": "%sensors.sensor_current = \"5\" && %sensors.sensor_type = \"upsOutputSourceState\"", "name": "UPS is running on the battery" }, { "rule": "%sensors.sensor_current = \"3\" && %sensors.sensor_type = \"upsBatteryStatusState\"", "name": "UPS has a low battery" }, { "rule": "%sensors.sensor_current = \"4\" && %sensors.sensor_type = \"upsBatteryStatusState\"", "name": "UPS has a depleted battery" }, { "rule": "%sensors.sensor_descr ~ \"Percentage load\" && %sensors.sensor_current >= \"90\" && %sensors.sensor_type = \"rfc1628\"", "name": "UPS has a heavy load" } ]