Flood configuration rules file
Use the flood.config.rules file to set the configuration variables that are used to detect an event flood or an anomalous event rate. This file must be used in conjunction with the flood rules file flood.rules.
The entries in the flood.config.rules file, and the actions that you can take to amend the values, are described in the following table. The entries are shown in the order in which they are defined in the file, starting from the top.
Entry | Description | Action |
---|---|---|
DefaultOS = registertarget(%Server,
%ServerBackup, "alerts.status") |
This statement registers the default ObjectServer (and backup ObjectServer, if one is configured) as a target for alerts. In the flood rules file, this is the target ObjectServer to which an informational alert is sent when the current event rate from probe sources is unusually high or low, or when an event flood starts and ends. The default table to which the alert is sent is alerts.status. | Change the alerts table name to a preferred valid name. |
#FloodEventOS = registertarget("NCOMS_BK",
"", "alerts.status") |
This commented-out line registers an NCOMS_BK backup ObjectServer. In the flood rules file, this is an alternative target ObjectServer to which alerts with particular severity levels can be diverted during an event flood. | Uncomment this line if you want to divert alerts to this ObjectServer when an event flood is detected. Change the ObjectServer name and the alerts table name to preferred valid names. |
array event_rate_array |
This array is defined to hold all the event rate calculation variables. These variables are used throughout the flood rules file. | N/A |
$average_event_rate_time_window
|
These elements store values that are used to
calculate what is considered to be the average (or normal) rate of
receipt of events:
In the flood rules file, these elements are used to capture the event count in the last n seconds before the current time, and to calculate the average event rate during this period. |
Change the default values as appropriate for your requirements. |
$flood_detection_time_window
|
These elements store values that are used to
calculate the event flood detection rate, in order to determine whether
an event flood is imminent:
In the flood rules file, these elements are used to capture the event count in the last n seconds before the current time, and to calculate the flood detection rate during this period. |
Change the default values as appropriate for your requirements. |
$flood_detection_startup_time |
This element defines the number of seconds over which the probe runs before event flood detection can begin. | Set a value. |
$anomaly_detection_time_window
|
These elements store values that are used to
calculate the rate of receipt of events for detecting an anomalous
flow:
In the flood rules file, these elements are used to capture the event count in the last n seconds before the current time, and to calculate the event rate during this period. |
Change the default values as appropriate for your requirements. |
$flood_detection_event_rate_
|
These elements store values that are used to
specify event rate thresholds for detecting an event flood or a normal
event rate. If the number of events received per second exceeds
the value specified for the If the number of events
received per second is less than the value specified for the |
Change the default values as appropriate for
your requirements. Ensure that the value of |
$lower_event_rate_threshold_multiplier
|
The $lower_event_rate_threshold_multiplier element
sets the multiplier value that is used to calculate the lower event
rate threshold for detecting an anomalous event rate. The In the flood rules file, the average event rate is multiplied by these values to set the thresholds for determining unusually low or unusually high event rates. |
Change the default values as appropriate for your requirements. |
$discard_event_during_flood |
This element defines whether an alert is discarded
during an event flood. A value of 1 equates to TRUE and a value of
0 equates to FALSE. In the flood rules file, if the |
Change the default value as appropriate for your requirements. |
$divert_event_during_flood |
This element defines whether an alert is diverted
to an alternative ObjectServer during an event flood. A value of 1
equates to TRUE and a value of 0 equates to FALSE. In the flood
rules file, if the value of |
To divert an alert of a particular severity,
ensure that the $divert_event_during_flood value
is set to 1 in the flood.config.rules file. Also
ensure that the |
$forward_event_minimum_severity |
This element is set to a value of 4 to indicate
that events with a severity of major or critical should be forwarded
to the primary ObjectServer during an event flood. In the flood rules file, this element is used in the IF condition that defines whether alert is discarded or diverted during an event flood. |
Accept or change the default value as appropriate for your requirements. |