topic Re: Alert for port up or port down,... in Alerting

Alert for port up or port down,...

sahil_singh — Sat, 14 Apr 2012 13:00:46 GMT

Is there some way that we can configure port up and down alert. since there seems to be none there by default and neither one comes while setting up an alert, does one needs to write it down in the $SPLUNK_HOME/etc/system/README/savedsearches.conf ?

If so can anybody guide in that respect.

Re: Alert for port up or port down,...

BobM — Sat, 14 Apr 2012 13:36:06 GMT

Hi Sahil.

This question is a bit vague. What port are you interested in monitoring (Router, Switch Firewall, Windows or Unix Server)? Is it being logged and is splunk picking up the events?

Once you have identified the events, you can write a search and save it as an alert. This can be done through the GUI (web) or in a config file. If you are new to splunk, I would do it in the web interface, search app. You should never edit the files in a /README/ or /default/ folder. If you decide to do it in the config file, I would recommend you edit (or add) it in

$SPLUNK_HOME/etc/apps/search/local/savedsearches.conf

Bob

Re: Alert for port up or port down,...

sahil_singh — Sun, 15 Apr 2012 07:47:07 GMT

the question here is more in terms of monitoring the physical ports such as Ethernet 1 and Ethernet 2.

One needs that alerts could generated immediately,once these ports are down.

Re: Alert for port up or port down,...

MHibbin — Sun, 15 Apr 2012 09:42:55 GMT

I think BobM was asking about the device because there are different methods for collecting the required information.

For example, you could set-up a scripted input that pings the interface (why not use the most basic of network t-shooting tools), and just have an alert when there are no echo replies.

If the device has syslog (e.g. a Cisco router) that generates this information, you could forward the Syslog to Splunk and alert on that.

You should work on getting the data into Splunk first... read these docs here:

http://docs.splunk.com/Documentation/Splunk/latest/Data/WhatSplunkcanmonitor

Once you have decided on how you get the data in, you should then set work to setting the alerts up for yourself.. docs here:

http://docs.splunk.com/Documentation/Splunk/latest/Admin/howdoesalertingworkinSplunk

There is rarely one single answer to a question in Splunk, the best thing in my opinion would be to work on a method which you know/understand enough to develop further.

Regards,

MHibbin

Re: Alert for port up or port down,...

dwaddle — Sun, 15 Apr 2012 18:18:34 GMT

As Bob and MHibbin have commented, this is a little vague. Remember, Splunk is first and foremost a data indexing and search engine. By default, it has few ways to generate data. You have to give it some data to process. Once there is data to process, then alerting on it is easy. In my opinion, you have skipped to the "how do I alert on this?" question before you've properly analyzed "how do I get this data into Splunk?".

There are two common approaches for "Port up" and "Port down" data -- one is syslog, the other is an SNMP trap. Most devices that can run an SNMP agent are able to produce linkUp and linkDown traps. With a running snmptrapd, you can feed those traps as events into Splunk. From there, you can alert on them fairly easily. This is documented at http://docs.splunk.com/Documentation/Splunk/4.3.1/Data/SendSNMPeventstoSplunk

Also, this may be use -- http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094aa5.shtml

The syslog approach is pretty simple too, but you have to have devices that you can count on giving you a syslog event from an interface up/down.

Remember that Splunk's architecture is quite different from your average "network monitoring" solution - its focus is on indexing and searching the data, and less on collection / acquisition.