Alert escalation and how it works

Alerts notify you if something unexpected or suspicious happens. It is important for administrators to respond to alerts to maintain the health of the SMC.

Alert entries inform the administrators when an event in the system requires their attention. For example, alerts are sent when there is a problem with the system, when a test or task fails, or when a rule that is configured to trigger an alert matches. Alerts can also be sent when a threshold for a user alert check is exceeded.

Active alerts are stored on the Management Server until the alerts are acknowledged. In an environment with multiple Management Servers, each active alert is stored on each Management Server. Alert entries are displayed in the Active Alerts view and in the Logs view with other types of log entries.

If you have configured the Management Client to show users in the Dashboard view, you can see a summary of user alerts. Select a user to see the user alerts that the user has generated.

The Management Server can send out different types of notifications to administrators. Alert escalation stops when one of the administrators acknowledges the alert or when all configured alert notifications have been sent. When an alert entry is acknowledged, it is removed from the Active Alerts view and from the Management Server, and an audit entry is created.

Figure: Alert escalation



1
An event on a system component triggers an alert entry.
2
The alert entry is sent to the Log Server, which stores it.
3
The Log Server forwards the alert entry to the Management Server, where it is handled as an active alert.
4
The Management Server matches the alert entry to the Alert Policy to select the correct Alert Chain.
5
The Alert Chain triggers a series of notifications that are sent to administrators.

For example, an Alert Chain can first notify one of the administrators by email and wait for acknowledgment for 10 minutes. If the alert is not acknowledged in time, the Management Server can send another notification as an SMS text message.

Limitations

  • The SMC does not support authentication or TLS encryption for SMTP.
  • Only one email recipient can be configured for each notification. To send an email to several people at the same time, you must configure an email group on the mail server or configure several notifications consecutively without delays.
  • Only SMC servers can send Test Alerts. Test Alerts always have default Severity and Situation information.
  • By default, the maximum number of active alerts is 3000 per Domain. You can change the default number of active alerts per Domain by adjusting the MAX_ACTIVE_ALERTS and CRITICAL_ACTIVE_ALERTS_EXTRA_SPACE parameters in the SGConfiguration.txt file that is stored on the Management Server. The maximum number of alerts of any Severity is 2000. After 2000 alerts of any Severity have been sent, only Critical alerts are still sent until the total number of active alerts is 3000.