The Alarm Notification Policy is used to specify information that is included in an Alarm Notification, as well as throttle the number of notifications in an allotted time.

Notification Policy Types

The Alarming and Response Manager is capable of sending alarm notification in several ways, each with a unique type of Notification Policy. People and roles may be assigned contact methods using the available policy types.

  • SMTP. Used for creating policies that notify users via email. This is the only notification type that can be used for receiving AI Engine Drill Down Cache results.
    SMTP notifications can be text or HTML. Only HTML notifications include the Rule Block section and Origin/Impacted section. The Rule Block sections provides data according to both Group By Fields and AIE Summary Fields. HTML notifications also show log messages, rather than the AIE Event XML. Note:

    The AIE Drill Down Cache feature must be enabled for HTML notifications. Both the AIE Drill Down Cache API and the Notification Service settings can be modified in the Configuration Manager.

  • SNMP. Used for creating policies that notify users via SNMP traps.
  • Text. Used for creating policies that notify users via text files.

Additional Information About Alarm Text File Notifications

Event Counts

The ARM compares new events to active alarm rules. When an Alarm Rule is configured to create Text File notifications, one line of text is appended to the current output file each time the alarm is triggered. Like other alarm notification types, file-based alarm notifications may include alarm values such as the Alarm Rule Name and Alarm Date. Unlike other alarm notification types, it only includes event values for the first event associated with an alarm.

As shown here, you may see an alarm record for an aggregate alarm rule that shows an Event Count of 3 yet has only one Origin Host value. The ARM appends one line of text to the output file.

Selected Time Zone vs. System Time

To maintain consistency between date values that appear inside the alarm records and in the file name timestamp, all dates are translated to the selected Time Zone. This may result in a discrepancy between the system clock and the timestamp shown in the file name. For example, if the ARM host is in Mountain Time (UTC-07:00) and the Time Zone selected in the Text File Notification Policy is UTC, then daily rollover will occur at or after 12:00 AM UTC, which is 5:00 PM MST. Although the new file may be created at 5:00:35 PM local time, the timestamp as shown here is in UTC time: LogRhythmAlarms20101116_000035_8347937.txt

Byte Order Mark

When UTF-8 Text Encoding is selected, the ARM automatically writes the Byte Order Mark (BOM) to the beginning of the file. For example, BareTail displays the mark as a special character at the beginning of the file, but correctly recognizes the text encoding as UTF-8.

Formatting

Data format used by Text File Notification is identical to the data formatting used by the LogRhythm Log Exporter:

  • Integers:
    • Integer values are region-invariant (the format doesn’t change from region to region).
    • Commas and/or periods are not used.
    • Example: 1935
  • Decimals:
    • Decimal values are region-invariant.
    • Up to 9 digits to the right of the decimal are supported.
    • The format is always #0.#########.
    • Examples: 0.3474304 or 84627.34545
  • DateTime values are always represented in one of the following formats:
    • 2010-11-14 11:22:36 AM
    • 2010-11-14 11:22:36 AM-07:00
  • Locations
    • Commas are always converted to colons in the typical location string:Example: United States: Colorado: Boulder
    • If Quote Strings is checked, then the location string is quotes, but commas are still converted to colons:Example: “United States: Colorado: Boulder”

Error Handling

If the ARM cannot write to the output file, it automatically rolls over and attempts to create a new output file. This may happen if a program such as Notepad opens the file with write access. If the ARM cannot write to an output file after three attempts, then it logs an error and stops trying.

Some reasons that Text File Notifications might fail all three attempts are:

  • One or more directories in the specified Base File Path cannot be found.
  • The ARM process does not have permission to create and/or write files in the specified directory.