Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
ovt Bronze
Bronze

Alarm summarization rules

Hi!

Could anybody point me to a good document explaining alarms summarization rules and all the relevant parameters like AlarmThrottle. Cisco 4.x documetation is very poor here.

Thank you.

4 REPLIES
Cisco Employee

Re: Alarm summarization rules

Have you read through the following section?

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/swappa.htm#787013

This is about as detailed as it gets.

If you have a specific question after reading through this section then I can try to answer it for you.

ovt Bronze
Bronze

Re: Alarm summarization rules

Thanks for the replay.

Of course, I have read this section and still have a lot of questions.

So far as I understood there are at least (!) 5 summarization models:

1. The 1st one: AlarmThrottle (when the value is *not* FireOnce) + ThrottleInterval + SummaryKey + ChokeThreshold. This model is described pretty well.

The sequence of alarms should be either "FireAll -> Summarize -> GlobalSummarize" or "FireAll -> GlobalSummarize" or "Summarize -> GlobalSummarize".

Correct?

2. The 2nd one: AlarmThrottle (when the value *is* FireOnce) + ThrottleInterval + SummaryKey + ChokeThreshold. There are some questions here:

- What does it mean: "You cannot use AlarmThrottle FireOnce with ChokeThreshold X (where X is not ANY.)"? Does it mean that ChokeThreshold is ignored?

- What does it mean: "You cannot use AlarmThrottle FireOnce with signatures that use StorageKey xxxx."? I see that Atomic.* signatures *do* *have* StorageKey xxxx *and* AlarmThrottle = FireOnce!

- What is the role of the SummaryKey here?

3. The 3rd one: MinHits *without* the AlarmInterval.

So far as I understood this means "Send 1 alarm when a signature fires MinHits times". Correct?

4. The 4th one: MinHits *with* the AlarmInterval.

This is documented as "Send 1 alarm when a signature fires MinHits times for the ThrottleInterval". Is this a misprint? If not, what is the role of the AlarmInterval here?

5. The 5th one is used by Sweep.* engines: "Unique + ResetAfterIdle + AlarmDelayTimer (sometimes?)". This is not documented at all.

There are lots of other questions, for example: are the models (1,2) and (3,4) mutually exclusive?

Hope you will help me,

Oleg Tipisov,

REDCENTER,

Moscow

New Member

Re: Alarm summarization rules

#1. is correct.

#2. has typo. StorageKey should read as SummaryKey.

You can use ChokeThreshold here, and it will take you

from FireOnce->GlobalSummary when you have exceeded

"ChokeThreshold" number of alert for that sig in the

ThrottleInterval.

Looks like the DOC writers were mixed up with some

of the old 3.x techniques here.

#3. Yes. The MinHits is counted on the SummaryKey

#4. Another typo.

Should be:

"Send 1 alarm when the signature fires MinHits times

within a sliding window timespan of AlarmInterval.

ThrottleInterval is not used here.

#5.

Not really summary here.

For the exclusive models, you cannot use AlarmInterval (the timed MinHits) with a summary

mode other than FireAll.

New Member

Re: Alarm summarization rules

Can I still use chokethreshold for the SWEEP engine signatures(e.g.3030) on the top of 'resetafteridle (+unique)'?

114
Views
0
Helpful
4
Replies
CreatePlease to create content