Overview
This filter will trigger only when the preceding filters have not been met X times in Y minutes.
The Flags/Counters filters need to be placed after all the other filter types in the rule. This is so the other filters can be processed first.
Details
The Timeout filter is useful for monitoring syslog devices and notifying you when things go quiet. For example, the firewall might normally generate at least 200 messages per hour. If the amount of messages suddenly dropped to only 10 messages in the hour, or even stopped sending messages at all, you could be alerted to the inconsistency via e-mail.
This filter is different from the other flags/counters filters in that it is not fired by an incoming message. It is actually fired by a count down timer due to a lack of messages. Therefore when this filter is fired, no current message is associated with the event. Instead an informational message is created and passed to any actions below the filter. The message is in the following format:
Priority: Local7.Debug (191)
HostIP: 127.0.0.1 (localhost)
MsgText: The rule 'Rule name here' has only been matched X times in Y minutes. The threshold was set for Z times.
Rule: Firewall Monitor
Filters
Filter: Field=Hostname, Type=Simple.
Include: "firewall.company.com" [S]
Filter: Field=Flags/Counters, Type=Timeout
Filter is true if event doesn't occur 1 times in 5 minutes.
Filter: Field=Time of Day, Type= Time of Day
Monday to Friday 8:00 a.m. to 6:00 p.m.
Actions
Action: Send E-mail message
E-mail body: Firewall is not alive
Alert - %MsgText
%MsgText will read:
The rule 'Firewall Monitor' has only been matched 0 times in 5 minutes. The threshold was set for 1 times.
When no messages arrive from the host "firewall.company.com" in 5 minutes, the count down timer will fire. The filters that follow the Timeout filter will be tested and if they pass (the time is between 8:00 a.m. and 6:00 p.m.), the actions will be performed. Remember that this filter is not triggered by a particular message like the other filters, it is triggered when the countdown timer elapses. An informational message is created and used as the current message. Actions can then use this informational message in the alerts etc.