Alarm Rules
The Alarming and Response Manager (ARM) evaluates system and user-defined alarm rules to determine whether an Event should incur an alarm. The Alarm Rule Wizard moves you through the process of creating and configuring an alarm rule. You can enable, disable, retire, and restore, alarm rules from the Alarm Rules tab of the Deployment Manager.
Alarm Rule Permissions
There are two types of Security Permissions, System and Custom. System Permissions are created by LogRhythm and come in two types, Global and Private, as defined below. Custom Security Permissions are created by users.
- System alarm rules are created by LogRhythm and cannot be removed:
System Global. Administrators can modify filters and notifications, as well as enable or disable these rules.
If you select Synchronize Alarm Rule Criteria when you import a Knowledge Base file, local modifications that conflict with the synchronization are overwritten.
- System Private. This rule is used for Alarm Rules that provide a specific function that should be kept identical across all deployments. It has fewer editable properties so it can be more fully synchronized during a Knowledge Base import. You can add custom Include and Exclude filters, but not Primary filters that are not overwritten when a Knowledge Base is imported.
- Custom alarm rules are created by LogRhythm Administrators:
- Custom Global Alarm Rules. Can only be created and managed by LogRhythm Administrators from the Alarms Rule tab of the Deployment Manager.
You can view Alarm Rule permissions in the Alarm rules grid in the Deployment Manager.
Text File Notifications
Event Counts
The ARM compares new events to active alarm rules. When an Alarm Rule is configured to create Text File notifications, one line of text is appended to the current output file each time the alarm is triggered. Like other alarm notification types, file-based alarm notifications may include alarm values such as the Alarm Rule Name and Alarm Date. Unlike other alarm notification types, it only includes event values for the first event associated with an alarm.
You may see an alarm record for an aggregate alarm rule that shows an Event Count of 3 yet has only one Origin Host value. The ARM appends one line of text to the output file.
Selected Time Zone vs. System Time
To maintain consistency between date values that appear inside the alarm records and in the file name timestamp, all dates are translated to the selected Time Zone. This may result in a discrepancy between the system clock and the timestamp shown in the file name. For example, if the ARM host is in Mountain Time (UTC-07:00) and the Time Zone selected in the Text File Notification Policy is UTC, then daily rollover will occur at or after 12:00 AM UTC, which is 5:00 PM MST. Although the new file may be created at 5:00:35 PM local time, the timestamp as shown here is in UTC time: LogRhythmAlarms20101116_000035_8347937.txt
Byte Order Mark
When UTF-8 Text Encoding is selected, the ARM automatically writes the Byte Order Mark (BOM) to the beginning of the file. For example, BareTail displays the mark as a special character at the beginning of the file, but correctly recognizes the text encoding as UTF-8.
Formatting
Data format used by Text File Notification is identical to the data formatting used by the LogRhythm Log Exporter:
- Integers:
- Integer values are region-invariant (the format doesn’t change from region to region).
- Commas and/or periods are not used.
- Example: 1935
- Decimals:
- Decimal values are region-invariant.
- Up to 9 digits to the right of the decimal are supported.
- The format is always #0.#########.
- Examples: 0.3474304 or 84627.34545
- DateTime values are always represented in one of the following formats:
- 2010-11-14 11:22:36 AM
- 2010-11-14 11:22:36 AM-07:00
- Locations
- Commas are always converted to colons in the typical location string:Example: United States: Colorado: Boulder
- If Quote Strings is checked, then the location string is quotes, but commas are still converted to colons:Example: “United States: Colorado: Boulder”
Error Handling
- If the ARM cannot write to the output file, it automatically rolls over and attempts to create a new output file. This may happen if a program such as Notepad opens the file with write access. If the ARM cannot write to an output file after three attempts, then it logs an error and stops trying.
- Some reasons that Text File Notification might fail all three attempts are:
- One or more directories in the specified Base File Path cannot be found.
- The ARM process does not have permission to create and/or write files in the specified directory.