As the name indicates Alert Queries are created for querying on data and retrieving information. Alerts are basically raised on indexed columns content and raw log string matches. This topic also explains how to test, modify and delete queries. In alert queries you basically define matches for alerts. This functionality is available only for Superusers (System Administrators)
Alert Queries can be created from here or from Raw log search or Indexer log search.
Searching for alerts
Using the Search field you can also search for filters. Just enter a few characters of the filter's name and the page will filter records specific to your input characters or words.
Entering a text such as "authentication" in the search box filters the existing output to filter records displaying the word "authentication" as shown below.
Note: This search feature is available throughout the OTUS system wherever a search is required, be that Users, Roles, Distribution, Groups etc.,
Creating one or more alert queries
1. Select Alert Queries from the Alerting Menu. The following page is displayed.
Note: Alert queries can also be created wherever the Create Alert Query button appears.
2. Click the Add button. The following fields and buttons are displayed. We'll discuss two examples. In our first example we create an alert query for checking all successful logins.
2. Enter a name for the filter in the Name field. For this enter a name from the list of names under the Name column. ( For our example enter unix_auth_accepted_password ).
3. Select an indexer from the Indexer column. Click the box titled - select - under the Indexer column and select an indexer from the list. (For our example select unix_auth)
4. Click the Conditions box under the Filter column. The web page displays additional fields as shown below.
5. Click the first drop-down (named - Select -) and from the drop-down select an item. For our example select "Operation".
Note: Based on the selection made for the Indexer column this drop-down can accordingly change showing different values and options. For instance if the file was a raw file then only the following options are available.
The various operators, AND,OR, LIKE also vary for raw log files and indexer log files.
For instance raw log files (as shown in the image above) has the '~' operator for regex matching.
For index log files the following operators appear in the drop-down. '==' - equal to, '!=' - not equal to, '<' - less than, '>' - greater than, '<=' - less than or equal to, '>=' - greater than or equal to and the IS NULL and the IS NOT NULL operators.
The following are choices when "delay" is selected while making a condition for a filter for Indexer log file.
6. Click second box with the down-arrow head and from the drop-down select "==" from the list.
7. In the next box enter the words "Accepted Password". For our example this means that if the parameter Operation equals the statement "Accepted Password" then it means that there is string match for string “Accepted Password” in column operation.
Note: In this example we have created only one condition. Note that the number 1 indicates the number of conditions created. We can add one ore more conditions. This is discussed in the following section.
8 Click the box under the column Groups and from the drop-down select one ore more groups where this condition needs to be applied. In our example only servers and user need to be selected.
Note: A group is a collection of servers. For raw alerting items can be grouped by server value. For indexed alerting items can be grouped by server value + all other values that are indexed. To find out more about groups and how to create and manage them refer the topic Creating and Managing Groups.
The final image looks as follows.
9. Click . The saved condition appears in the list of alerts. To cancel the process click
.
Adding one or more conditions
In this example we'll create a filter where we wish to check all logins, both successful or unsuccessful. To do this we simply add one more condition to the existing condition.
1. Follow steps 1 to 7 of the previous section.
2. Click the OR button immediately after creating the first condition. Additional fields are displayed as shown below.
3. Create the second condition as explained in the previous section. This time add the message authentication failure for the second condition. If done correctly you must get the following image.
Note: To delete a condition click associated with that condition.
4. Click the box under the column Groups and from the drop-down select one ore more groups where this condition needs to be applied. In our example only servers and user need to be selected.
5. Click . The saved condition appears in the list of alerts.
To Test an alert query
1. Click the new filter from the list of filters being displayed. The filter is highlighted as shown below.
2. Click . The web page refreshes to display the results of the query.
To modify an alert query
1. Double-click on a field of the query. In our example the Filter field was double-clicked.
2. Modify the field as per requirements and when done click . To quit without saving chages click
.
To delete an alert query
1. Select the alert query to be deleted. It is highlighted with a blue background as seen earlier.
2. Click . The Delete confirmation dialog is displayed.
3. Click Yes.
Caution: Exercise this function with care. The process cannot be undone. All data is deleted.