• State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 24 subscribers
  • Views 1037 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

How to trigger Alert when NetFlow Top talker user exceedsa Threshold ?

kiwi

Hello

Using NTA 3.8. In the context of being Alerted when a user download / upload a considerable amount of data within a time frame (say during last 15 min), we need to know about that to immediately preserve the shared bandwidth for Company business traffic.

The "Top Talker Advanced Alerts" built-in Alert is meant for an interface that exceeds a Threshold BUT we need more granularity, in the sens of creating a similar Alert that tells which end point (Top Receivers / Transmitters) user exceeded a Threshold ( Thershold could be a quota of data within last 15 min or just a percentage of the bandwith).

Ingress/ Egress traffic per end user

Most probably, it requires Advanced ALert with SQL query , which Table(s) ? Any help  ?

Thank you

  • 0

    Hello,

    Those kind of alerts We are not supporting yet.

    I can give one example which You can try it but it can negatively affect the performance of Your Orion.

    The attached solution is using workaround of alerts as "Custom SQL Alert" does not support dynamic queries which are need to get data
    from NetFlowDetail tables.

    The workaround is using process where one alert task is only used for call of procedure which overcome the problem with dynamic query
    and store new alert data into temporary table.

    This temporary table is then checked with alert tasks "Top Talker Ingres" and "Top Talker Egress" which generates alerts.
    The trigger actions print out the list of endpoints which exceeds the threshold criteria.


    The setup instructions are following:

    - Execute procedure on Your Orion installation (not on master DB but on Orion DB)
      (it will install new procedure used for gathering of alert data from all netflow tables.
      New alert data will be stored into temporary table which is scanned by alert tasks )

    - Import attached alert files into alert manager by using Import button in alert manager

    - Customize threshold and other settings in alert task "Top Talker -Updater"- example is presented there

    - Modify two alerts "Top Talker Ingress" and "Top Talker Egress" to suite your needs


    Please let me know any questions and comments so we can consider it as feature request.

    Thanks

    Regards radekn
    TopTalkersAlerts.zip

  • 0
    We have a similar use case there. I have ‘solved’ this, although you could also call it a workaround.
     
    Using a copy of the Top Talkers Alert I used a custom property to zero in the interfaces I wanted to alarm bandwidth on. (Internet WAN links in this case)
     
    You need to set up a web page that shows the data you want to look at. In our case we put in Top5 charts.
     
      Once you have the webpage set you just use the ‘Email a webpage’ action on the trigger to send the page, and you’ll get something like the example below.
     
    *Note: We did need to contact support and have them assist in setting the alert to give Both rather than Ingress/Egress since we were seeing the data on different sides for our managed routers. That was a SQL mod in the database, so if you have the same need I’d suggest putting in a ticket with support.
     
    Description: Interface 'Multilink2 ·' on 'Router {Location}- Sprint MPLS' received at 86% of its utilization, which triggered this alert.
     
    Link: NetFlow Interface Details - Multilink2 · - Router Cortez - Sprint MPLS
     

    NetFlow Interface Details for Alerts -  

    Monday, November 07, 2011 2:17:24 PM

     
     
    Top 5 Protocols
    Ingress, 11/7/2011 2:11 PM to 11/7/2011 2:16 PM
    Top 5 Applications
    Ingress, 11/7/2011 2:11 PM to 11/7/2011 2:16 PM
    Top 5 Conversations
    Ingress, 11/7/2011 2:11 PM to 11/7/2011 2:16 PM
    Top 5 Endpoints
    Ingress, 11/7/2011 2:11 PM to 11/7/2011 2:16 PM
    Top 5 Domains
    Ingress, 11/7/2011 2:11 PM to 11/7/2011 2:16 PM
    Top 5 Types of Service
    Ingress, 11/7/2011 2:11 PM to 11/7/2011 2:16 PM
  • 0

    I really need this Netflow endpoint alerting as well.  I struggle with seeing the flow of traffic thru an interface but drilling down into the traffic much past that is cumbersome in reporting.  An alert to tell me when I have a bandwidth hog would be a godsend!

    Any progress on this yet?

  • 0 in reply to witkopstaub
      While a SW integration would likely be a smoother setup, the process I describe right above you works wonders. The alert pulls the time into ~5 minute section, so it’s pretty easy to tell who’s yanking the bandwidth.

     

      The most important metrics that I’ve used from the above setup tend to be Protocols and endpoints. Those two make it fairly easy to see (for instance) that you have a large chunk of port80 traffic and that tends to correspond to one of the top5 endpoints. That also makes it easy to distinguish between users pulling work related government maps (since the endpoint is usgs.gov) vs. ‘Other’ activity (endpoints in youtube.com or whatever)

     

      Of course one of the critical points is to have a way to set your internet WAN links for the alerts. We use a custom field Yes/No to designate Internet WAN endpoints for  our reporting. Once those are zero’d in you have eliminated a ton of data in reporting and bandwidth abusers tend to stick out like sore thumbs. (I’ve got a few users that don’t like it though ;))

     

      Alternately if you are looking for specific site traffic ah la YouTube you can create report targeting the domain itself and have it email to you on some periodicity. (And/Or display in orion for on-demand checkups) Whatever time slice makes sense to you works well, but if you use M-F or weekly on the reports you can actually gauge if the users are accessing said site at lunch, throughout the day, etc. That form of reporting with flows makes it VERY easy to establish user traffic patterns.
  • 0 in reply to Alminair

    Thanks for the input.  I am looking at this.

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.