Creating an email notification for a failed backup

To receive a notification by email about a backup failure on the IBM QRadar Console or a QRadar Event Processor, create a rule that is based on the system notification message.

Before you begin

You must configure an email server to distribute system notifications in QRadar. For more information, see Configuring your local firewall.

About this task

If a backup fails, you see one of the following backup failure system notifications:

  • Backup: requires more disk space
  • Backup: last Backup exceeded execution threshold
  • Backup: unable to execute request

Procedure

  1. Click the Offenses tab.
  2. In the Offenses pane, click Rules.
  3. Click Actions > New Event Rule.
  4. In the Rule Wizard, check the Skip this page when running this rules wizard box and click Next.
  5. In the filter box, type the following search query:

    when the event QID is one of the following QIDs

    Learn more about tests:
    Figure 1. Rule Wizard event test
    The Rule Wizard with the when the event QID is one of the following QIDs test in the Rule pane.
  6. Click the green add (+) icon.
  7. In the Rule pane, click the QIDs link.
  8. In the QID/Name field, type Backup:
  9. Select the following QIDs and click Add +:
    • Backup requires more disk space
    • Backup: last backup exceeded execution threshold
    • Backup unable to execute request
    Learn more about QIDs:
    Figure 2. Rule Wizard QIDs
    QIDs 38750033, 38750053, and 38750059 are selected and added in the Rule Wizard.
  10. Click Submit.
  11. In the Rule pane, type the following name for your rule test and click Next:

    Backup Failure

  12. In the Rule Response section, check the Email box and type the email addresses you want to notify.