Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.

Creating Alerts

Introduction

Alerts provide network managers with near-real-time messages about anomalous network activity. Such activity could consist of:

Irregular authentication activity

Irregular network device access activity

Users attempting privileged commands on network devices

Irregular activity on the Policy Manager servers

Reports and alerts include templates for easy configuration. These templates allow you to quickly configure and monitor network activity. In addition to email notifications, you can also send alerts to mobile devices via SMS Short Message Service. SMS refers to short text messages (up to 140 characters) sent and received through mobile phones., providing the capability to receive mission-critical information on the go.

Any Error-level System Event/Event Viewer entries in Policy Manager servers are notified with a System Alert Notification.

Creating New Alerts

To create a new alert:

1. Navigate to the Alerts page.

2. Click Configuration.

The Alerts Configuration page opens.

Figure 1 Alerts Configuration Page

Enable button: From the switch, you can enable or disable the selected alert.

Mute button: Allows you to mute alert output while you work to address the alert.

3. Click Create New Alert.

Figure 2 Creating a New Alert

4. Enter the information for each Create New Alert parameter as described in Table 1, then click Save.

Table 1: Create New Alert Parameters
Alert Field	Action/Description
Alert Name	Enter the name of the alert.
Description	Optionally, enter a summary description of the alert.
Category	Select the alert Category, then specify the desired alert type in the selected category: Authentication Failed Authentication RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. Failed Authentication Total Authentication WEBAUTH Authentication System TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. Commands TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. Failures
Notifications	Specify report notifications: Notify by Email. When you select this option, enter the list of email addresses to be notified. The alert notification is sent whenever the trigger threshold is met. NOTE: Enabling Notify by Email is mandatory. Notify by SMS. When you select this option, enter the phone numbers of each recipient. The alert notification is sent whenever the trigger threshold is met. NOTE: If you have not configured the SMTP Simple Mail Transfer Protocol. SMTP is an Internet standard protocol for electronic mail transmission. mail server for email notifications, you will be unable to configure Alert Notifications. For the procedure, see Messaging Setup.
Filter	To configure an Alert filter: 1. From the Filter drop-down, select the type of filter; for example, Access Point or ClearPass Server. 2. Specify the operator: Equals Not_Equals Starts_With Contains Not_Contains 3. Enter the value. To create another filter, click the Add Another link. To remove a filter, click the trashcan logo.
Trigger Severity	From the Trigger Severity drop-down, select one of the following: Critical Warning
Trigger Threshold	Specify Threshold and Interval values as criteria for determining whether an alert is necessary. For example, if you specify the threshold as 25 and the interval as 15 minutes, once the threshold of 25 is met within 15 minutes, an alert is triggered.
Trigger Interval	Specify the Interval, then select Minutes or Hours.
Alert Summary	When you have configured the alert settings, the Alert Summary displays the settings for your review.

Modifying the User Watchlist

A Watchlist is a list of VIPs, executives, and devices known to be problematic that are monitored for authentication failures. Policy Manager collects all user authentication status. When Policy Manager finds a user defined in the Watchlist that both fails to authenticate and also matches the Watchlist triggers (severity, threshold, and interval), an alert notification is sent to the notification list via email or to mobile devices via SMS Short Message Service. SMS refers to short text messages (up to 140 characters) sent and received through mobile phones.. This allows the authentication failure to be resolved proactively before the problem is reported by the user. sThe Watchlist generates an alert only when an unsuccessful authentication for a specific device occurs.

Default Watchlist Trigger Settings

The default Watchlist trigger settings are as follows:

Severity = Critical

Threshold = 1

Interval = 30 seconds

You cannot edit the The Watchlist trigger settings.

To modify the User Watchlist:

1. From the Insight navigation panel, choose Alerts, then select Configuration.

The Alerts Configuration is displayed, which shows the default User Watchlist (see Figure 3).

Figure 3 User Watchlist

The users who are currently on the Watchlist are displayed. By default, the Watchlist includes the Authentication Trend report widget.

2. Click Watchlist, then click Modify Watchlist.

The Edit Alert page for the User Watchlist opens.

Figure 4 Modifying the User Watchlist

3. Enter the desired settings for each User Watchlist parameter as described in Table 2, then click Save.

Table 2: Modify User Watchlist Parameters
Alert Field	Action/Description
Alert Name	Optionally, you can modify the name of the User Watchlist.
Description	Optionally (and recommended), enter a summary description of the User Watchlist.
Category	The Category is set to Alert > User Watchlist. This is not an editable field.
Notifications	Specify Watchlist notifications. Notify by Email. When you select this option, enter the list of email addresses to be notified. The alert notification is sent whenever the threshold is met. Notify by SMS. When you select this option, enter the phone numbers of each recipient. An SMS Short Message Service. SMS refers to short text messages (up to 140 characters) sent and received through mobile phones. message is sent with an alert notification whenever threshold is met. NOTE: A warning message appears if you have not configured the SMTP Simple Mail Transfer Protocol. SMTP is an Internet standard protocol for electronic mail transmission. mail server for email notifications (for details, see Messaging Setup).
Filter: Username	The User Watchlist has only one filter: Username. From the Username drop-down, select one or more users to add to the Watchlist.
Alert Summary	When you have configured the Watchlist settings, the Alert Summary displays the settings for your review.

Adding or Removing Users from the Watchlist

You can use the Insight Search function to add users to or remove users from the Watchlist.

Adding a User to the Watchlist

To add a user to the Watchlist:

1. In the Insight Search window, enter the name of the user.

The Insight User Information page for the selected user is displayed.

Figure 5 Insight User Information Page

2. To add a user to the Watchlist, click the star icon next to the username as shown in Figure 5.

The User Information page now displays the following information:

Figure 6 User Successfully Added to Watchlist

The star icon color is now set to orange, indicating the user has been added to the Watchlist.

The following message is displayed:

<User> added to User Watchlist successfully. Please configure SMS and email notifications.

Removing a User from the Watchlist

To remove a user from the Watchlist:

1. In the Insight Search window, enter the name of the user.

The Insight User Information page for the selected user opens.

Figure 7 Removing a User from the Watchlist

2. Click the orange star icon next to the username.

The user is removed from the Watchlist. The star icon is now white. You receive the following message:

<User> removed from User Watchlist successfully.