Configuring the alerter

Configure and activate the alerter to send email messages, SNMP traps, and alert-related Syslog messages.

Other components create and queue messages for the Alerter. The Alerter checks for and sends messages based on the specified polling interval.

To configure, enable or disable individual correlation alerts, see Correlation Alerts. To produce correlation alerts and appliance alerts, make sure that Anomaly Detection is started. To create real-time alerts, a security policy must be installed.

Mail/SNMP/SYSLOG messages are sent out according to their priority.

To open the Alerter page, go to Setup > Tools and Views > Alerter.

Automatically activate the Alerter on startup

  1. Select Active on Startup. Each time the appliance restarts, the Alerter is activated.
  2. Click Apply.
  3. If the Alerter is not running, click Restart to start it.

Set the polling interval

The polling interval is the frequency that the Alerter checks for and sends messages. Enter the polling interval, in seconds.

Configure the Alerter to send SMTP (email) messages

From the SMTP tab, configure email messages.

  1. To use SMTP for alert emails, select Send alert emails using SMTP.
  2. Host, enter the IP address or hostname for the SMTP gateway.
  3. Under Port, enter the SMTP port number (the default is 25).
  4. If you selected Send alert emails using SMTP, click Test Connection to open the Test connection window. You can take one of the following actions:
    • Enter an email address to send the test alert and click OK to send a test email to the address.
    • Click OK without entering an address to test whether the connection is open (and return a message).
    • Click Cancel to cancel without testing.
  5. In Return-path email address, enter the return address for email that is sent by the system. This address is usually a monitored administrative account.
  6. Select Use STARTTLS for encryption to use STARTTLS to encrypt mail messages with TLS encryption.
  7. To use SMTP server authentication, select Assign SMTP credentials. In this case, you must specify the username and password to use for authentication.
    • Enter a valid username for your mail server.
    • Enter, and then reenter, the password for this user.
  8. Click Save to save the configuration.
    Note: The Alerter does not use the new configuration until it is restarted.
  9. Click Restart to restart the Alerter with the new configuration.

Configure the alerter to use SNMP

From the SNMP tab, you can configure SNMP traps for either SNMP v2c or v3.

To use SNMP for alert emails, select Send alert emails using SNMP and then select the SNMP version.

  • For SNMP v2c, provide the following information:
    1. Under Primary host, enter the IP address or hostname to which to send the SNMP trap.
    2. Optionally, click Test Connection to verify the SNMP address and port (162). This only tests that access is available to specified host and port. The test does not verify that it is a working SNMP server. A dialog box displays that informs you of the success or failure of the operation.
    3. Under Trap community name and Re-enter trap community name, enter the community name for the trap.
    4. Optionally, select Secondary host to enable the ability to add a secondary host:
      1. Under Secondary host, enter the IP address or hostname to which to send the SNMP trap.
      2. Optionally, click Test Connection to verify the SNMP address and port.
      3. Under Trap community name and Re-enter trap community name, enter the community name for the trap.
  • For SNMP v3, provide the following information:
    1. Under Primary host, enter the IP address or hostname to which to send the SNMP trap.
    2. Optionally, click Test Connection to verify the SNMP address and port (162). This only tests that access is available to specified host and port. The test does not verify that it is a working SNMP server. A dialog box displays that informs you if the operation was successful or failed.
    3. Under User name, provide the name of the SNMP user.
    4. Under Authentication protocol, select either the MD5 or SHA protocol. The default is MD5.
    5. Enter (and then re-enter) an authentication password.
    6. Under Encryption protocol, select either AES or DES encryption. Guardium suggests that you select AES.
    7. Enter (and then reenter) an encryption password.
  • Click Save to save the configuration.
    Note: The Alerter does not use the new configuration until it is restarted.
  • Click Restart to restart the Alerter with the new configuration.

Set up the external ticketing system

From the Alerter page, you can go to the External Ticketing System page to set up external tickets for alerts. For more information, see Configuring an external ticketing system.