9.1. Manage Alert Groups

An “Alert Group” represents a type of alert. Trisul ships with 6 Alert groups

  1. Threshold Crossing Alerts : Based on a meter value exceeding fixed Hi and Lo water marks for a certain time
  2. Flow Tracking Alerts : Anomalous flow behaviour you define
  3. IDS Alerts : When interfacing with external IDS systems like Suricata
  4. Blacklist : When triggered by blacklisted indicators
  5. Threshold Band Alerts : When a meter value drifts outside a “trained” band of normal values
  6. System Alerts : From Trisul self monitoring, packet drops, memory pressure etc.

You can create your own alert types using the alertgroup LUA API Alert groups you create using the LUA API will also show up in Trisul and be managed along with the built in alert groups.

9.1.1 Viewing alert groups

To view all alert groups currently in the system.

Login as Admin → Select Context and profile → Under Alerts → View Alert Groups

Enable and disable alerts

You can enable or disable entire alert groups by pressing the “Enable” or “Disable” button shown on each row.

When alerts are disabled, it just means that any alerts generated by Trisul or plugins will be ignored by the streaming analytics engine. This means the alerts wont be stored, displayed, or available to your LUA plugins.

Forward alerts to syslog

Forwarding alerts to syslog is used for

  1. By the Trisul Email dispatching service to send alerts via email to you
  2. To send to other systems

For each alert type you can choose the Syslog policy by

From the Alert Groups table → Select a Syslog Level → Select DISABLED to prevent sending to syslog

9.1.2 Viewing and forwarding alerts

The alerts generated appear immediately on the user interface. You can also setup the following

  1. Sending alerts to "SYSLOG
  2. Send alerts via email
  3. Send alerts via SMS service
The Email and SMS services work by reading the SYSLOG alerts. Ensure SYSLOG forwarding is enabled for each alert type.