Flood configuration rules file

Use the flood.config.rules file to set the configuration variables that are used to detect an event flood or an anomalous event rate. This file must be used in conjunction with the flood rules file flood.rules.

The entries in the flood.config.rules file, and the actions that you can take to amend the values, are described in the following table. The entries are shown in the order in which they are defined in the file, starting from the top.

Table 1. flood.config.rules file entries
Entry Description Action
DefaultOS = registertarget(%Server, %ServerBackup, "alerts.status") This statement registers the default ObjectServer (and backup ObjectServer, if one is configured) as a target for alerts. In the flood rules file, this is the target ObjectServer to which an informational alert is sent when the current event rate from probe sources is unusually high or low, or when an event flood starts and ends. The default table to which the alert is sent is alerts.status. Change the alerts table name to a preferred valid name.
#FloodEventOS = registertarget("NCOMS_BK", "", "alerts.status") This commented-out line registers an NCOMS_BK backup ObjectServer. In the flood rules file, this is an alternative target ObjectServer to which alerts with particular severity levels can be diverted during an event flood. Uncomment this line if you want to divert alerts to this ObjectServer when an event flood is detected. Change the ObjectServer name and the alerts table name to preferred valid names.
array event_rate_array This array is defined to hold all the event rate calculation variables. These variables are used throughout the flood rules file. N/A
$average_event_rate_time_window

$average_event_rate_max_sample_size

These elements store values that are used to calculate what is considered to be the average (or normal) rate of receipt of events:
  • The $average_event_rate_time_window element defines the maximum time window (in seconds) for which events are kept. This value depicts a rolling time window, which is updated by calling the updateload function. The $average_event_rate_time_window element also sets the training period, which is the length of time the probe runs to determine the average or normal event rate.
  • The $average_event_rate_max_sample_size element defines the maximum number of events to keep during the average event rate time window.

In the flood rules file, these elements are used to capture the event count in the last n seconds before the current time, and to calculate the average event rate during this period.

Change the default values as appropriate for your requirements.
$flood_detection_time_window

$flood_detection_max_sample_size

These elements store values that are used to calculate the event flood detection rate, in order to determine whether an event flood is imminent:
  • The $flood_detection_time_window element defines the maximum time window (in seconds) for which events are kept. This value depicts a rolling time window, which is updated by calling the updateload function.
  • The $flood_detection_max_sample_size element defines the maximum number of events to keep during this period.

In the flood rules file, these elements are used to capture the event count in the last n seconds before the current time, and to calculate the flood detection rate during this period.

Change the default values as appropriate for your requirements.
$flood_detection_startup_time This element defines the number of seconds over which the probe runs before event flood detection can begin. Set a value.
$anomaly_detection_time_window

$anomaly_detection_max_sample_size

These elements store values that are used to calculate the rate of receipt of events for detecting an anomalous flow:
  • The $anomaly_detection_time_window element defines the maximum time window (in seconds) for which events are kept. This value depicts a rolling time window, which is updated by calling the updateload function.
  • The $anomaly_detection_max_sample_size element defines the maximum number of events to keep during this period.

In the flood rules file, these elements are used to capture the event count in the last n seconds before the current time, and to calculate the event rate during this period.

Change the default values as appropriate for your requirements.
$flood_detection_event_rate_
flood_threshold

$flood_detection_event_rate_
normal_threshold

These elements store values that are used to specify event rate thresholds for detecting an event flood or a normal event rate.

If the number of events received per second exceeds the value specified for the $flood_detection_event_rate_flood_threshold element, event flood detection is triggered.

If the number of events received per second is less than the value specified for the $flood_detection_event_rate_normal_threshold element, a normal event rate is assumed.

Change the default values as appropriate for your requirements.

Ensure that the value of $flood_detection_event_rate_
normal_threshold
is lower than $flood_detection_event_rate_
flood_threshold
.

$lower_event_rate_threshold_multiplier

$upper_event_rate_threshold_multiplier

The $lower_event_rate_threshold_multiplier element sets the multiplier value that is used to calculate the lower event rate threshold for detecting an anomalous event rate.

The $upper_event_rate_threshold_multiplier element sets the multiplier value that is used to calculate the upper event rate threshold for detecting an anomalous event rate.

In the flood rules file, the average event rate is multiplied by these values to set the thresholds for determining unusually low or unusually high event rates.

Change the default values as appropriate for your requirements.
$discard_event_during_flood This element defines whether an alert is discarded during an event flood. A value of 1 equates to TRUE and a value of 0 equates to FALSE.

In the flood rules file, if the $discard_event_during_flood value is 1 and the alert is of a lower severity than the value specified for $forward_event_minimum_severity, the alert will be discarded.

Change the default value as appropriate for your requirements.
$divert_event_during_flood This element defines whether an alert is diverted to an alternative ObjectServer during an event flood. A value of 1 equates to TRUE and a value of 0 equates to FALSE.

In the flood rules file, if the value of $divert_event_during_flood is 1 and the alert is of a lower severity than the value specified for $forward_event_minimum_severity, the alert will be diverted.

To divert an alert of a particular severity, ensure that the $divert_event_during_flood value is set to 1 in the flood.config.rules file.

Also ensure that the registertarget statement with the target of FloodEventOS (defined at the top of the file) is uncommented and configured with the appropriate ObjectServer name and table.

$forward_event_minimum_severity This element is set to a value of 4 to indicate that events with a severity of major or critical should be forwarded to the primary ObjectServer during an event flood.

In the flood rules file, this element is used in the IF condition that defines whether alert is discarded or diverted during an event flood.

Accept or change the default value as appropriate for your requirements.