Previous Topic: Create a Query to Retrieve Only Severe EventsNext Topic: Candidate Queries for Modification

Administration GuideAction AlertsCustomizing Queries for Action AlertsCustomize Queries to Retrieve Only Severe Events

Customize Queries to Retrieve Only Severe Events

Predefined queries that are not tagged as action alerts are designed for reports. It is appropriate for reports to contain data reflecting events of all levels of severity. You can customize selected queries to retrieve only severe events. To do this, you identify a query that retrieves severe events along with less severe events, copy it, enter filters that ensure retrieval of only the severe event, and save it for selection in an alert.

Before you begin, have at hand your spreadsheet that lists the definitions of severe events. This example is based on the following CEG information:

Category

Class

Action

Result

Security Level

Operational Security

System Activity

System Shutdown

Success

7

Operational Security

System Activity

System Shutdown

Failure

7

The query to customize retrieves events for both system shutdown and system startup.

To customize a query to retrieve only severe events

  1. Click the Queries and Reports tab.
  2. Select a query tag filter that matches the Category of a severe event.

    For example, select Operational Security.

  3. Review the query list for queries with names containing keywords found in the Class or Action for the identified event type.

    For example, the keywords System Shutdown appear in queries beginning with the phrase System Startup or Shutdown by Host.

    Select Configuration Management and view queries on the list that begin with System Startup or Shutdown.

  4. Copy the query System Startup or Shutdown by Host Detail. Highlight the query and select Copy from the Options drop-down list.
  5. Click Query Filters and compare the default with the table entries for the severe event type.

    For this query, only Operational Security is selected.

  6. Refer to the table for values to enter for Class and Action.

    For example, select System Activity for the Class and System Shutdown for the action.

    Add Event Class is System Activity and Event Action is System Shutdown.

  7. Select the Advanced Filters tab to determine whether modification is needed.

    Click delete for each line since the filter event_action is equal to system startup or shutdown is not pertinent to this custom query.

  8. Replace that with a filter for the result.

    For example, create a filter where event_result is equal to either success or failure.

    Click Add, select event_result for column, Equal To for Operator, and select S for Value. Enter Or for logic, repeat except enter F for Value.

  9. Click Details and name the query in a way that indicates you want to use it for an alert.

    For example, enter Alert: System Shutdown by Host Detail as the name. Change the description accordingly.

  10. Click Result Conditions. For severe conditions, consider querying frequently.

    For example, select the predefined range for the last 5 minutes to run the query every 5 minutes for the occurrence of this severe event.

    Select Last 5 minutes from the Predefined Ranges drop-down list.

  11. Click Save.

    You can create an alert with this query to notify a person, product, or process of a system shutdown success or failed attempt. (Product notification is done through SNMP traps; process notification is done through IT PAM event/alert output.)