Edit Alert Chain elements

Alert Chain elements are composed of rows ordered from top to bottom. Each row specifies a notification method and a recipient.

You can only enter one recipient and one notification method per row. You must add more rows in the following cases:

You want to use the same notification method for more than one recipient.
You want to use more than one notification method for the same recipient.

The Final Action row determines what happens when all Alert Channels in the Alert Chain have been tried, but none of the Administrators have acknowledged the alert.

Tip: It is not mandatory to add any rows to an Alert Chain. For example, you can use only the Final Action to automatically acknowledge or stop the escalation of alert entries that the Alert Policy directs to the chain.

For more details about the product and how to configure features, click Help or press F1.

Steps

Select Configuration, then browse to Administration.
Browse to Alert Configurations > Alert Chains.
Right-click an Alert Chain, then select Edit <name>.
Add a rule:
- In an empty Alert Chain, right-click the Final Action row, then select Rule > Add Rule.
- In an Alert Chain with existing rules, right-click a rule, then select Rule > Add Rule Before or Rule > Add Rule After.
Select the Alert Channel.
Specify the Destination of the alert notification.
The destination information varies according to the selected alert channel.
(Recommended) Double-click the Threshold to Block cell, then set a limit for how many alerts the designated recipient is sent.
(Mandatory for the Delay channel, optional for other channels) In the Delay cell, enter the number of minutes before the next row of the alert chain is processed.
- The purpose of the delay is to give to the recipient of the notification enough time to acknowledge the alert before the next notification is sent.
- If sending the notification through the selected channel fails, the delay entered here is ignored. If you want to add delays that are always valid, add a row with Delay as the alert channel, then set the delay on that row.
Select the Final Action that the SMC takes if the last row of the Alert Chain is reached.
Click Save.

Alert Chain Editing view

Use this view to define Alert Chains that are used in Alert Policies. Alert Chains define which notification channels are used to send alert notifications to administrators.

Option	Definition
Resources	Use this pane to create and add elements to an Alert Chain.
Search	Opens a search filed for the selected element list.
Up (Backspace)	Returns to the previous folder.
New	Opens the associated dialog box to create an element.
Tools	New — Creates an element of the specified type. Show Deleted Elements — Shows elements that have been moved to the Trash. Expand All — Expands all levels of the interface tree. Collapse All — Collapses all levels of the interface tree. Refresh View — Updates the interface tree. Enforce Password Settings — Opens the Global System Properties dialog box where you can enforce and define global password settings. Administrator Messaging Enabled — Enables administrator messaging. Send Message — Opens the Conversation Properties dialog box that allows you to send messages to other administrators.

Option	Definition
Policy Toolbar
Save	Saves the changes.
Undo operation	Undoes the last change made.
Redo operation	Redoes the last change that was undone.
Tools
Validate	Validates the rules in alert chain. Opens the Validate Policy dialog box in which you can select which issues are checked in the rules.
Expand Rule Sections	If you have added Rule Sections, they are all expanded.
Collapse Rule Sections	If you have added Rule Sections, and they are expanded, they are all collapsed.
Target selector	Selects the target Domain for the Validate action.
ID	(Not editable) Automatically assigned ID number that indicates the order of the rules in the policy. The rules are matched against traffic in the order of the ID numbers. For example, the rule 14.3 is the third rule added in this policy to the insert point that is the fourteenth rule in the upper-level template. Right-clicking this type of cell opens these menu items: Properties — Opens the Rule Properties dialog box. Cut Rule — Copies the rule to the clipboard and deletes the rule from the policy. Copy Rule — Copies the rule from the policy. Paste — Pastes the rule into the policy. Delete Rule — Deletes the rule from the policy. Disable Rule — Temporarily disables the rule without deleting it. Add Rule Before — Adds the new rule before the selected rule or section. Add Rule After — Adds the new rule after the selected rule or section. Add Rule Section Before — Creates a collapsible section before the selected rule or section. Add Rule Section After — Creates a collapsible section after the selected rule or section. Move Rule Up — Moves the rule position up the list. Move Rule Down — Moves the rule position down the list.
Channel	Specifies the Alert Channel. Custom Script — Alerts are sent for processing to a script you create. Delay — Processing is paused for the specified time before the next rule is applied. SMS — An SMS text message is sent. If you use a third-party tool to forward SMS messages to administrators, you must install the tool, software, and drivers for the tool on the same host. If the tool is not installed on the Management Server host, you must configure the script for sending the alert notifications to access the tool remotely. Note: If you have installed a third-party tool, make sure that your Engine or Layer 2 Engine Policy allows the traffic from the Management Server to the host. SMTP — An email is sent. SNMP — An SNMP trap is sent. User Notification — A blinking icon appears at the bottom right corner of the selected administrator Management Client. The icon works as a shortcut to the Active Alerts view.
Destination	Specifies the destination of the alert notification. The destination information varies according to the selected Alert Channel. Custom Script — Enter the name or full path of the script file. Note: The root path (the default directory where the script is executed) is defined in the Management Server properties. SMS — Enter the recipient's mobile phone number. SMTP — Enter the recipient's email address. Only one address is allowed. Use a mail group address or create additional rows without delays to send the email to multiple recipients at the same time. SNMP — Not editable. The SNMP server is defined in the Log Server properties (the actual SNMP trap that is sent depends on the alert event).
Threshold to Block	Double-click the cell to specify the limit for how many alerts the designated recipient is sent. The Threshold to Block dialog box opens. Note: Leaving the Threshold to Block cell empty is the same as setting the cell to No Moderation. There is no maximum number of alerts sent to the recipient.
Delay	Specifies a pause (in minutes) before the next row of the alert change is processed. The purpose of the delay is to give the recipient of the notification enough time to acknowledge the alert before the next notification is sent. If sending the notification through the selected channel fails, the delay entered here is ignored. If you want to add delays that are always valid, add a row with Delay as the alert channel and set the delay on that row.
Comment	An optional comment for your own reference.
Rule Name	Contains a rule tag and optionally a rule name. Name (Optional) — Name or description for the rule. Displayed alongside the rule tag. Tag (Not editable) — Automatically assigned unique identification for the rule. Works as a link between the log entries and the rule that has generated the log entries. The rule tag consists of two parts (for example, @20.1). The first part of the tag is permanent and belongs to only that rule. The second part changes when the rule is changed. The first part and the second part are separated by a period. Right-clicking this type of cell opens these menu items: Edit Rule Name — Opens a text area that allows you to edit the rule name. Clear Cell — Removes the cell content. Remaining list items are the same as for the ID cell.
Final Action	Specifies the Final Action that the SMC takes if the last row of the Alert Chain is reached. None — The alert escalation ends. No further notifications are sent, but the alert stays in the list of active alerts. Acknowledge — The alert escalation ends and the SMC automatically acknowledges the alert (removes it from the list of active alerts). Redirect — The alert escalation continues in the Alert Chain you select in the adjacent box. Return — Returns the processing to the Alert Policy. The Alert Policy matching continues from the next row. If there is another matching rule in the Alert Policy, the alert escalation continues. If no further matches are found, the escalation ends and the alert stays in the list of active alerts.
to	When Redirect is selected as the Final Action, specifies the Alert Chain in which the alert escalation continues.

Option	Definition
General tab
Name	The name of the rule.
Rule Tag	The rule's tag.
Comment	Comment in the rule.
Rule Info tab	The rule cells and their values. Right-clicking the ID cell opens the following menu items: Preview Alert Chain Rule — Opens the Alert Chain rule for preview. Lock — Prevents edits until the rule is explicitly unlocked. Opens the Lock Properties dialog box.

Option	Definition
History tab
Creator	Shows the administrator who created the rule.
Created	Shows the time when the rule was created.
Modifier	Shows the administrator who modified the rule.
Modified	Shows the time when the rule was modified.
Audit History	Opens the Logs view and displays the audit log data for traffic that matches the rule.

Threshold to Block dialog box

Use this dialog box to configure the maximum number of alerts the recipient receives.

Option	Definition
Pass on max	Enter the maximum number of alerts that the recipient receives. After this threshold is reached, any alert chain rules with this recipient are ignored.
During	Enter the time period in hours (h) and minutes (min) for counting the number of alerts to the recipient.
Notify First Blocking	Select this option to notify the alert recipient when alert blocking starts.
No Moderation	Select this option if you do not want to set a threshold for blocking. Setting a threshold is recommended to maintain a more manageable level of alerts received.