Help SW
I like to alert on a sharp change in my WAN Utilization.
something like
Interface Utilization is in 1 poll 30% and the next poll is 90% (+60% in 15 mim)
Or from 3% to 60% (+57% change in 15 min)
Why ?
1.DDOS
2.DDOS
3.more DDOS
@sja,
Have you looked at the canned alerts, "High RX Percent Utilization with Top Talkers" and "High TX Percent Utilization with Top Talkers"? These work great for my needs. One small drawback, since Netflow is exported every 5 minutes, I set the alert trigger to wait until 10 minutes of collection has passed, this way I get current conversations in the alerts.
Dwyane
We implemented dynamic thresholds in 10.7, which calculate standard deviations on a 7-day sliding window. The dynamic value shows up as a macro, so you could potentially also use it elsewhere. Just go to edit an interface and you'll see the threshold override capability show up.
Sure will try that Rob.
Is there any any materiel on that new feature?
I enable that on my RC but the link to the materiel is dead.
/SJA
Unfortunately documentation is being finalized. It should be available to coincide with GA. Please let me know if there are any questions in the interim.
rob.hock This sounds very helpful, as we have been in this same boat for a while now. Currently, we use "NFSEN" to monitor and alert us of network spikes (ddos), which seem to be happening on a more regular basis lately. NFSEN is a very lightweight and extremely useful tool to easily monitor for these attacks. We also have NTA, but find it more cumbersome to navigate and alert from.
Are you saying this new feature will know, for example, if our uplinks are usually at/around 2gb at 5am, 6gb at 12pm, and 12gb at 8pm (with all the averages for all the times in between), that if there is 6gb traffic at 5am (network spike) it will alert from that BUT would NOT alert if it were 6gb at 12pm (normal)...? As we have it now, I basically have to break it down between peaks and no traffic events.
Also, not to hijack this thread, but what about linking/correlating endpoint IP address to bandwidth spike? Currently, when we see a large spike in bandwidth, our NFSEN server sends us an email with the time, IP address, flow count, traffic size, duration, etc... Then starts our efforts to track down that user/endpoint, mitigate attack, and take various other actions... It would surely be nice to use our, paid for, NPM & NTA modules to do this, instead of a simple and lightweight free tool...
Sounds like I need to schedule some maintenance time to upgrade NPM to 10.7 (currently at 10.6.1, NTA at 4.0.0) to use this new dynamic feature, as long as I am understanding what you are saying, that is...
Thank you,
-Will
The other way is to create an alert that compares the utilization over the last (for example) hour, vs the average utilization over the least 1 or 2 weeks. From there, calculate your delta, and alert if the delta is above a certain percentage.
Hi rstoney00 That type of alert will sure help. Du you have alert example i can use? /sja
The new dynamic baseline does not take into account time-of-day/day-of-week/etc, but rather is a 7-day moving average with calculated standard deviations. The ToD/DoW/DoM functionality would be ideal, but is not present in 10.7
Is there any other software that can yield this functionality?
noman4ever We use NFSEN for this purpose. It is free, lightweight, and fairly easy to use. It is a very simple solution, and will alert us very quickly. Unfortunately, we have not seen this basic functionality implemented within NTA/NPM.
Here are the subject lines from the emails we get on a few of our NFSEN alerts:
It would be a welcomed addition for SolarWinds to incorporate the same functionality that NFSEN uses, as well as MRTG/Cacti for graphing. (Which have been asked for by many users of the years...)
If NTA would work as efficiently and effectively as NFSEN, I would shut down our NFSEN server and go 100% NPM/NTA. However, as is, I would have to recommend NFSEN to best do the job you are requesting.
Thank you for your detailed reply.
Please note that our edge routers cannot be configured for NETFLOW as it will increase CPU load on them.
Please do let me know if NFSEN can work without enabling NETFLOW on our edge routers.
NTA is still not there...
Still get more value for money from 3 party....
