Previous Topic: Example of a Basic Anomaly MessageNext Topic: Set Up SNMP Trap Alerts

Post-Installation TasksConfigure Alert TargetsSet Up Syslog AlertsExample of an Anomaly Cluster Message

Example of an Anomaly Cluster Message

A Syslog Anomaly Cluster message reports an alert for a group of anomalies. The following example shows the message fields for an Anomaly Cluster message:

02-12-2009 17:51:42 Local0.Alert 10.0.23.138 Feb 12 17:51:42 sk23-138 CEF:0|NetQoS|AnomalyDetector|9.2.0.1|2161393963:1234482300|AnomalyCluster|10|src=xxx.212.65.43 start=2/12/2009 5:45:00 PM msg=AnomalyCluster: anomalies included Frags, FragsAndLoss anomalyScore 10 max anomaly probability 90%. Routers/interfaces close to the issue (for further analysis or ACL) are 10.00.00.100 : 12, 10.00.30.100 : 0, 172.10.00.9 : 2, 10.20.00.10 : 169418917

The sixth CEF field identifies the sensor types that detect the violation. The message contains multiple sensor types, so the sixth CEF field always has the value AnomalyCluster. The list of sensor types is contained in the message body. The msg field format is as follows:

msg=AnomalyCluster: anomalies included LISTOFANOMALIESVALUE anomalyScore CLUSTERSCOREVALUE max anomaly probability PROBVALUE%. OptionalROUTERINFOVALUE

where:

LISTOFANOMALIESVALUE

List of the anomalies in the cluster, which is comma-delimited in the following manner: fanOut, SYNOnly, and topNullRoutes.

CLUSTERSCOREVALUE

Weighted severity value. The cluster score is the weighted count of anomalies. Secondary role anomalies, such as flows, volume in, and volume out, count as 0.5. All other anomalies count as 1.

PROBVALUE

Maximum anomaly probability of the anomalies in the cluster. The PROBVALUE field is similar to the field in the basic anomaly message, except that it identifies the maximum probability across all the anomalies in the cluster.

ROUTERINFOVALUE

(Optional) The optional ROUTERINFOVALUE field is provided for anomalies that are based on NetFlow. The close router and interface information is derived from the router that sent the flow data. The format for ROUTERINFOVALUE is as follows:

Routers/interfaces close to the issue (for further analysis or ACL) are ROUTERandINTERFACElistVALUE

where:

ROUTERandINTERFACElistVALUE

List of the router IP addresses and the associated incoming IF index. For example, enter 199.30.15.30 : 1, 199.30.15.30 : 1, 199.30.15.30 : 1. The router : interface pairs follow the same order as the anomaly types that are reported in the LISTOFANOMALIESVALUE field.