You are here
Customizing Events
Last update on 23. July 2018 - 17:46.
Types of notifications
Log messages are generated by system components. These messages can be viewed in the Log Viewer or forwarded to a second syslog located in the management network.
Events are created by rules based on log messages. Events can be alerted, i.e. sent by email, as web-request or to a specific syslog server. The alerting methods can be configured in "Log Settings" - "Event Notification Channels".
The Log Viewer shows both events and messages mixed in one view. It is possible to show events only: Open the search "Troubleshooting - Events" (Airlock WAF 7.x) or select "Type: data event" (Airlock WAF 5.x/6.x).
| viewable in Log Viewer | can be alerted | can be forwarded to external syslog | |
| Log Messages | yes | - | yes |
| Events | yes | yes | yes |
Types of events
There are two types of events:
- Internal events are defined by Airlock. Those events can't be changed by the administrator. They may be changed by product updates in the future.
- Customizable events covers events that are highly dependent on the Airlock usage scenario, especially the number of requests per second.
Customizable events are configured in a event rule file named "logsurfer.conf.user.custom". Events which are not configured in this file are internal events and should not be modified.
Event configuration affects only future events. Events that are already generated will not be changed.
Customization
Airlock WAF 7.x
Before changing the file, create a copy of it for backup reasons:
cd /opt/airlock/custom-settings/logsurfer
cp logsurfer.conf.user.custom logsurfer.conf.user.custom.orig
vi logsurfer.conf.user.custom
Adjust the alert at your needs (the commented lines describe the default values):
# uncomment to enable/disable the event
WR_SG_SUMMARY_404_enable=true
# number of lines needed to trigger the event
WR_SG_SUMMARY_404_num=50
# lines are counted during range seconds
WR_SG_SUMMARY_404_range=60
After changing the configuration the airlock-logsurfer service has to be restarted:
systemctl restart airlock-logsurfer.service
If all the criteria match (50 lines or more within 60 seconds in the example above), the event is triggered and a notification is sent to the configured channels.
Ergon supports only changes of frequency and numbers in the customizeable events. Changing the definition or adding new events is not supported.
Airlock WAF 5.x and 6.x
Before changing the file, create a copy of it for backup reasons:
cd /opt/airlock/custom-settings/taclog
cp logsurfer.conf.user.custom logsurfer.conf.user.custom.orig
vi logsurfer.conf.user.custom
Adjust the alert at your needs (the commented lines describe the default values):
# uncomment to enable/disable the event
WR_SG_SUMMARY_404_enable=true
# number of lines needed to trigger the event
WR_SG_SUMMARY_404_num=50
# lines are counted during range seconds
WR_SG_SUMMARY_404_range=60
All three lines have to be activated to enable the changes, even if some of the lines still contain the original value.
After changing the configuration the geneventd and the logsurfer service have to be restarted:
service geneventd restart
service logsurfer restart
If all the criteria match (50 lines or more within 60 seconds in the example above), the event is triggered and a notifications is sent to the configured channels.
Ergon supports only changes of frequency and numbers in the customizeable events. Changing the definition or adding new events is not supported.