Look for a solution to limit number of positives for an alert to 24 hours. Right now I have an alert for site to site VPNs down but it is alerting me about disconnects from greater than 5 minutes. As you can image that would return all vpn disconnects for as long as the machine has been up. So I want to limit it to the last 24 hours.
Is that possible? Below is the alert rule:
syslog.timestamp >= “macros.past_5m” AND syslog.msg REGEXP “ASA-4-113019” AND syslog.msg REGEXP “LAN-to-LAN” AND syslog.msg NOT REGEXP “User Requested” AND syslog.msg NOT REGEXP “Idle Timeout”
Could I limit the results in the alert template?
If you want past_24h you could create a custom macro , e.g " past_24h ": “DATE_SUB(NOW(),INTERVAL 1 DAY)”
or, perhaps easier to specify it in the alert directly like this Realtime syslog alerting
You might need to fix the timestamp bug Alert rule: syslog.timestamp check bug? and I think you can just use contains, instead of Regex
I will review the possible solutions and let you know what worked.
Thank you so much.
Will this work for a macro. I want the current date.
$config[‘alert’][‘macros’][‘rule’][‘date’] = CURDATE();