Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials

FEATURE REQUEST - Limiting Same Message Notifications

Case 483354

We have port security set on our cisco switches in ‘restrict’ mode which doesn’t shutdown the port, it just blocks the new ‘mac’ from connecting. This causes continuous logging of port security alerts, so I want to limit the amount of notifications sent of this event via e-mail.

The ‘Time Interval’ one would be ideal but doesn’t have the option of ‘Maintain individual threshold counts for each host address’ which I would require as I have numerous switches

The ‘Threshold Filter’ one is not ideal as the events occur at random time intervals, dependant on host connecting, and can continue indefinitely (till host is disconnected), or perhaps someone might connect an ‘unauthorized’ device and disconnect immediately, with perhaps only one trigger of the event appearing on switch (which I still need to capture and want to be notified about). Therefore I cannot really set an adequate value in the ‘X’ field ('X' as per KiwiSyslog 'Help') that will cover both scenarios of multiple alerts or a single alert.

In addition ‘Maintain individual threshold counts for each host address’ doesn’t cover for multiple devices on the same switch, triggering separate events for different ports, so even if it was available as an option on the ‘Threshold filter’ I would still not be covered.

Find more posts tagged with

kiwi_syslog

Status: None

Comments

Aforsythe

This script will satisfy your 1st requirement and could be potentially modified to also support your second requirement.

hhth

Thanks Acy. Is 'TIMEINTERVAL' in milliseconds?

Aforsythe

It's in seconds.

hhth

works great. I'll inform solarwinds my issue has been resolved if that's OK with you. Their product manager support said below with regards issue after I followed him up on it, but maybe they can work on something similar based on your solution. I have set an interval of 90 seconds so if someone does move the 'unauthorized' device within the same switch I should still likely capture the 'incident' but still reduce the overall sending of notifications :

Hi Herman,

We have been tracking your feature request.

I definitely agree it’s useful but we must prioritize our engineering effort acc. to our customer needs and your request currently does’t belong to the most popular group.

If we decide to implement it, I will let you know.

Aforsythe

You can keep the feature request open. I’m all for adding more non-scripted functionality to KSS. I’m also currently working on a script to set time intervals per message per device to throttle port up/down messages from the same device individually. IE, I don’t want a million port1 up/down messages so I squelch them, but I still want to know if port2 goes up/down, and I don’t want the thresholds to be across the board for the same device.

Currently, I’d have to use my current script and a rule for each message I wanted to handle separately.