PingIntelligence

Email alerts and reports

ASE sends email notifications under two categories:

  • Alerts – alerts are event based.

  • Reports – sent at a configured frequency (email_report) from one to seven days.

In a cluster deployment, configure the e-mail on the first ASE node. In case the first ASE node is not available, the ASE node with the next highest up-time takes over the task of sending e-mail alerts and daily reports. For more information on ASE cluster, see Administering an ASE cluster.

; Defines report frequency in days [0=no reports, 1=every day, 2=once in two days and max is 7 ; days]
email_report=1
; Specify your email settings
smtp_host=smtp://<smtp-server>
smtp_port=587
; Set this value to true if smtp host support SSL
smtp_ssl=true
; Set this value to true if SSL certificate verification is required
smtp_cert_verification=false
sender_email=
sender_password=
receiver_email=

; Defines threshold for an email alert. For example, if CPU usage is 70%, you will get an
; alert.
cpu_usage=70
memory_usage=70
filesystem_size=70

Email alerts

Email alerts are sent based on the following event categories:

  • System resource – System resources are polled every 30 minutes to calculate usage. An email alert is sent if the value exceeds the defined threshold. The following system resources are monitored:

    • CPU: average CPU usage for a 30-minute interval

    • Memory: memory usage at the 30th minute

    • Filesystem: filesystem usage at the 30th minute

  • Configuration – When configuration changes occur, an email alert is sent for these events:

    • Adding or removing an API

    • Adding or deleting a server

    • Nodes of a cluster are UP or DOWN

  • Decoy API–When decoy APIs are accessed for the first time, an email alert is sent. The time between consecutive alerts is set using decoy_alert_interval in ase.conf. The default value is 180 minutes. For more information on decoy APIs, see In-Context decoy APIs.

  • ASE-ABS log transfer and communication –ASE sends an alert in the following two conditions:

    • Access Log transfer failure - When ASE is not able to send access log files to ABS for more than an hour, ASE sends an alert with the names of the log files.

    • ASE-ABS communication failure – When interruptions occur in ASE-ABS communication, an alert is sent identifying the error type. The email also mentions the current and total counter for the alert. The current counter lists the number of times that failure happened in last one hour. The total counter lists the total number of times that error has occurred since ASE was started.

      • ABS seed node resolve

      • ABS authentication

      • ABS config post

      • ABS cluster INFO

      • ABS service unavailable

      • Log upload

      • Duplicate log upload

      • Log file read

      • ABS node queue full

      • ABS node capacity low

      • ABS attack type fetch

Following is a template for alerts:

Event:  <the type of event>
Value:  <the specific trigger for the event>
When:  <the date and time of the event>
Where:  <the IP address or hostname of the server where the event occured>

For example,

Event : high memory usage
Value : 82.19%
When : 2019-May-16 18:30:00 PST
Where : vortex-132

Alerts logged in log file: Following is a list of all the alerts that are logged in controller.log file when email alerts are disabled (enable_email=false) in ase.conf file.

  • High CPU use

  • High memory use

  • High filesystem use

  • Adding API to ASE

  • Removing API from ASE

  • Updating and API

  • Adding a backend server

  • Removing a backend server

  • ASE cluster node available

  • ASE cluster node unavailable

  • Backend server state changed to UP

  • Backend server state changed to DOWN

  • Log upload service failure

  • Error while uploading file

  • Invalid ASE license file

  • Expired ASE license file

Email reports

Email reports

ASE sends reports at a frequency in number of days configured in ase.conf file. The report is sent at midnight, 00:00:00 hours based on the local system time. The report contains the following:

  • Cluster name and location

  • Status information on each cluster node

    • Operating system, IP address, management port, and cluster port

    • Ports and the number of processes (PIDs)

    • Average CPU, memory utilization – average during 30-minute polling intervals

    • Disk usage and log size

  • Information on each API: Name, Protocol, and Server Pool

Following is a template of weekly or daily email report:

Date: Sat, 29 Jun 2019 04:01:47 -0800 (PST)
To: receiver@example.com
From: sender@exmple.com
Subject:  API Security Enforcer Daily Reports

Dear DevOps,
Please find the daily report generated by ase2 at 2019-Jun-29 00:01:01 UTC.
============== Cluster Details =================
Cluster Name: pi_cluster
Active Nodes: 2
Inactive nodes: 0
No of APIs: 7
LSM State: disabled
Manual IOC: 0
Automated IOC: 0

================== Node 1 ===================
Host Name: apx1
Management Port: 8010
Cluster Port: 8020
Status: Active
Up Since: 2019-Jan-26 09:27:26
Operating System: Ubuntu 14.04.4 LTS
CPU Usage: 55.80%
Memory Usage: 38.17%
Filesystem Usage: 17.20%
Log Size: 20 GB

================== Node 2 ===================
Host Name : apx2
Management Port: 8010
Cluster Port: 8020
Status: Active
Up Since: 2019-Jan-26 09:26:35
Operating System: Ubuntu 14.04.4 LTS
CPU Usage: 55.79%
Memory Usage: 38.17%
Filesystem Usage: 17.20%
Log Size: 20 GB
=============================================

================= API Details ==================
API ID: https-app
Status: loaded
Protocol: https
decoy: in-context
Active Servers: 172.17.0.8:2800 172.17.0.7:2700
Inactive Servers:
=============================================
API ID: http-app
Status: loaded
Protocol: http
decoy: in-context
Active Servers: 172.17.0.7:2100 172.17.0.8:2300 172.17.0.7:2700
Inactive Servers:
=============================================

Best,
API Security Enforcer

Decoy API access reports: ASE sends decoy API access report at a 3-hour interval by default. You can configure this time interval in minutes in ase.conf file by configuring decoy_alert_interval variable. ASE sends the report only if the decoy API is accessed during the configured time interval. The report provides the following details:

  • The start time when the decoy API was first accessed and the end time when it was last accessed

  • The ASE cluster name

  • The total number of requests for decoy API in the ASE cluster

  • The host name of the ASE where the decoy API was accessed

Following is a sample email template for decoy API:

Date: Sat, 29 Jun 2019 04:01:47 -0800 (PST)
To: receiver@example.com
From: sender@exmple.com
Subject:  API Security Enforcer Decoy Access Reports

Dear DevOps,
Please find the decoy report generated by ase2 at 2019-Jun-29 12:01:45 UTC. The default location for the decoy log files is in the directory: /opt/pingidentity/ase/logs/
============== Decoy Summary =================
Cluster Name: pi_cluster
Start Time: 2019-Jun-29 09:00:00
End Time: 2019-Jun-29 12:00:00
Total Requests: 875

================== Node 1 ===================
Host Name: ase2
Total Requests: 428

================== Node 1 ===================
Host Name: ase
Total Requests: 447

Best,
API Security Enforcer