Event Sources

Event sources are the occasions and conditions when Triggers an event when new baseline rules are available for activation. alerts you via the configured Event Destinations. You can configure any number of event sources.

Recurring alerts are only triggered when the status changes. For example, when you define the Requests Per Minute Event Source to trigger an alert if the average number of requests per minute exceeds a given limit, you get an alert when the limit is exceeded for the first time. However, you don’t get additional alerts while this state continues. You would only get a second alert if the number went below the limit again, and then beyond again.

For general information on setting up alerts, see Configuring Alerts. For information on how to add, configure and remove an event source, see the Editing an event source in Editing Event Sources.

Overview

There are different types of event sources, depending on whether alerts are configured globally or for a specific application.

The following event sources are available for global alerts only:

• Cluster State Event Source

  Triggers an alert both when a cluster node goes offline and back online.

• Default Error Log Entries Per Minute Event Source

  Triggers an alert when the number of new entries per minute to the Default Error Log exceeds a given limit.

• Denied Requests Per Minute Event Source

  Triggers an alert both when the number of denied requests per minute on a cluster node exceeds a given upper limit, and when it later goes below a given lower limit.

• Global Blacklist IP Event Source

  Triggers the addition of an IP address to the global IP blacklist via the Global Blacklist IP Event Destination (for details on the process, see Global IP Blacklisting).

• Global Blacklist IP Added Event Source

  Triggers an alert each time a new IP address is written to the global IP blacklist.

• Requests Per Minute Event Source

  Triggers an alert both when the total number of requests per minute on a cluster node exceeds a given upper limit, and when it later goes below a given lower limit.

• Seen Enforcer Event Source

  Triggers an alert when either a new enforcer has been added to the configuration or when an enforcer is inactive.

The following event sources are available for application-specific alerts only:

• Denied Requests Per Minute Per Application Event Source

  Triggers an alert both when the number of denied requests per minute relating to a specific application exceeds a given upper limit, and when it later goes below a given lower limit.

• Denied Requests Per IP Per Severity Per Timeframe Per App. Ev. Source

  Triggers an alert when Triggers an event when new baseline rules are available for activation. has denied more requests within a given period of time than a given limit allows. You can also specify a severity level and the range of IP addresses to be taken into account.

• New Sessions Per Minute Per Application Event Source

  Triggers an alert both when the number of new sessions created for a specific application exceeds a given upper limit, and when it later goes below a given lower limit.

• Requests Per Minute Per Application Event Source

  Triggers an alert both when the total number of requests per minute relating to a specific application exceeds a given upper limit, and when it later goes below a given lower limit.

• Requests Per IP Per Path Per Timeframe Per Application Event Source

  This is special event source, which is triggered by the Event Per IP Per Path Prefilter Handler.

The following event sources can be selected both globally and on application level:

These event sources are basically global. The reason why it’s allowed to add them also to an application is to give Application Administrators the possibility to use these event sources as well.

• New Baselines Available Event Source

  Triggers an event when new baseline rules are available for activation.