Timeout filter

 Top  Previous  Next

 

Overview

This filter will trigger only when the preceding filters have not been met X times in Y minutes.

 

The Flags/Counters filters need to be placed after all the other filter types in the rule. This is so the other filters can be processed first.

 

 

Details

The Timeout filter is useful for monitoring syslog devices and notifying you when things go quiet. For example, the firewall might normally generate at least 200 messages per hour. If the amount of messages suddenly dropped to only 10 messages in the hour, or even stopped sending messages at all, you could be alerted to the inconsistency via e-mail.

 

This filter is different from the other flags/counters filters in that it is not fired by an incoming message. It is actually fired by a count down timer due to a lack of messages. Therefore when this filter is fired, no current message is associated with the event. Instead an informational message is created and passed to any actions below the filter. The message is in the following format:

 

Priority: Local7.Debug (191)

HostIP: 127.0.0.1 (localhost)

MsgText: The rule 'Rule name here' has only been matched X times in Y minutes. The threshold was set for Z times.

 

Rule: Firewall Monitor

 Filters

   Filter: Field=Hostname, Type=Simple.

           Include: "firewall.company.com" [S]

   Filter: Field=Flags/Counters, Type=Timeout

           Filter is true if event doesn't occur 1 times in 5 minutes.

   Filter: Field=Time of Day, Type= Time of Day

          Monday to Friday 8:00 a.m. to 6:00 p.m.

 

 Actions

   Action: Send E-mail message

           E-mail body: Firewall is not alive

          Alert - %MsgText

 

%MsgText will read:

The rule 'Firewall Monitor' has only been matched 0 times in 5 minutes. The threshold was set for 1 times.

 

When no messages arrive from the host "firewall.company.com" in 5 minutes, the count down timer will fire. The filters that follow the Timeout filter will be tested and if they pass (the time is between 8:00 a.m. and 6:00 p.m.), the actions will be performed. Remember that this filter is not triggered by a particular message like the other filters, it is triggered when the countdown timer elapses. An informational message is created and used as the current message. Actions can then use this informational message in the alerts etc.