Configure the Target for Syslog Messages

Configure Syslog alerting to identify a target Syslog server that will receive messages when sensors report a threshold violation. If Syslog alerting is not configured, the alerts that sensors generate may appear on the Anomaly Detector report page, but no messages are sent to report the alerts.

Prerequisites for Syslog Alerting:

• Set up a Syslog server.
• Configure a service on the Syslog server to read syslog messages from CA Anomaly Detector.

Follow these steps:

1. Log in to the CA NetQoS Performance Center Console as a user with administrator privileges.
2. Select Admin, Data Sources.

   The Data Source List page opens.

3. Click the name of the CA Anomaly Detector instance that you want to configure.

   The Monitored Products page opens.

4. Click View Alert Targets.

   The Alert Targets page opens.

5. Double-click the syslogging row.

   The Edit Alert Target page opens.

6. Specify the Target: Enter the IP address or DNS hostname of the system that will receive the Syslog information.
7. Select one or both of the following options to enable the alert:
   • Basic State: Send alerts whenever any single sensor detects an anomaly that crosses a threshold.
   • Cluster State: Send alerts only when the requirements for a correlated anomaly are met.

     This is the recommended setting for first-time use of CA Anomaly Detector. If you have already disabled alerts for the sensors that are irrelevant to you, the recommended setting is Basic State. For more information about these recommendations, see the Best Practice note that follows.

     For information about what constitutes a correlated anomaly, see Correlated Anomalies on page 7.

8. Click Save.

   You return to the Alert Targets page, which reflects any changes you saved.

Best Practices:

Alerts are enabled for most sensors by default so that when you start using CA Anomaly Detector, you can review a wide range of anomalous behaviors with a minimum of configuration. If you use Syslog alerting and you select the Basic State option at this stage, you may see so many anomalies that you cannot determine which ones are significant.

If you begin by selecting the Cluster State option for alert targets, the anomalies you see are much more likely to be significant. You can quickly determine which sensors are useful to you. At this point you can disable alerts for the other sensors, then start using the Basic State option. This produces in an expanded set of results for the anomaly types that interest you. The anomalies from the other sensors are eliminated.

To explore all of the potential anomaly cluster types, you may want to enable any disabled sensors. In this case, use the Cluster State option.