topic Re: How to configure alert for identity collector in Firewall and Security Management

How to configure alert for identity collector

soni_kumari1 — Thu, 17 Jan 2019 16:42:20 GMT

How to configure alert for identity collector for below condition.

If identity collector got disconnected.
if gateway got disconnected .
If gateway didn't received last hour events.

customer is having both R80.10 and R77.30 version gateway.

Re: How to configure alert for identity collector

G_W_Albrecht — Fri, 18 Jan 2019 09:29:21 GMT

I could not imagine how to do that. But what i know is that Identity Collector is using the Windows Event Log API for fetching DC´s security logs. And if you know that these conditions show up in logs, you can use SmartEvent for alerting.

Re: How to configure alert for identity collector

Kaspars_Zibarts — Fri, 18 Jan 2019 13:48:46 GMT

We have scripted it and are checking update timestamp against current time. Then issue alert if nothing arrives in X minutes depending on the time of the day

It really depends what sort of alert you want to generate. Custom SNMP traps are described here

SNMP Custom Traps for Monitoring Processes

Re: How to configure alert for identity collector

Juraj_Skalny — Fri, 25 Jan 2019 15:24:51 GMT

Hello Kasparas,

would you be so kind and share scripts please?

or navigate us further where to focus please?

thanks,

Juraj

Re: How to configure alert for identity collector

Kaspars_Zibarts — Wed, 30 Jan 2019 05:57:21 GMT

I'm afraid I can't give you full script as it is fully integrated into our own in-house monitoring system so it wouldn't make much sense

but to give you an idea assuming you have multiple IDCs (else you can take away while loop)

currTime=`date +%s`

pdp conn idc | grep ^[1-9] > idc.tmp

while read line; do

if [ `echo $line | grep -c "No events received in the last hour" ` -eq 0 ]; then
lastEvent=`echo $line | awk '{print $5" "$6}'`

lastEvent=`date --date="$lastEvent" +%s`

let diff=$currTime-$lastEvent

if [ $diff -gt 120 ]; then

do something here if no events seen in last 2 minutes
fi

done < idc.tmp

Re: How to configure alert for identity collector

Juraj_Skalny — Wed, 30 Jan 2019 12:57:00 GMT

Thank you Kasparas very much...really helpful...

Re: How to configure alert for identity collector

soni_kumari1 — Sat, 02 Feb 2019 14:29:08 GMT

Thanks Kasparas ,Its really helpful .

Re: How to configure alert for identity collector

phlrnnr — Tue, 15 Oct 2019 14:05:08 GMT

CP has released better monitoring capability for identity collector in R80.20. If you look at sk108235 at the 'Monitoring Capability' section, you can get more details.

Basically, you have to enable it on the identity collector server in the registry by adding a key called 'MonitoringEnabled'. Once enabled, it will send stats from IDC to the attached gateways / PDPs. You can view that info from the CLI using:

cpstat identityServer -f idc (R80.20)
pdp idc status (R80.30)

You can also monitor these items via SNMP on the gateway:

The SNMP Object Identifiers (OIDs) that points to this information are found in $FWDIR/conf/identity_server.cps

Hope that helps.