--- title: Email alerts and reports description: ASE sends email notifications under two categories: component: pingintelligence version: 5.1 page_id: pingintelligence:api_security_enforcer:pingintelligence_email_alerts_reports canonical_url: https://docs.pingidentity.com/pingintelligence/5.1/api_security_enforcer/pingintelligence_email_alerts_reports.html revdate: March 25, 2024 section_ids: email-reports: Email reports --- # Email alerts and reports ASE sends email notifications under two categories: * **Alerts** – alerts are event based. * **Reports** – sent at a configured frequency (`email_report`) from one to seven days. In a cluster deployment, configure the e-mail on the first ASE node. In case the first ASE node is not available, the ASE node with the next highest up-time takes over the task of sending e-mail alerts and daily reports. For more information on ASE cluster, see [Administering an ASE cluster](pingintelligence_administering_ase_cluster.html). ``` ; Defines report frequency in days [0=no reports, 1=every day, 2=once in two days and max is 7 ; days] email_report=1 ; Specify your email settings smtp_host=smtp:// smtp_port=587 ; Set this value to true if smtp host support SSL smtp_ssl=true ; Set this value to true if SSL certificate verification is required smtp_cert_verification=false sender_email= sender_password= receiver_email= ; Defines threshold for an email alert. For example, if CPU usage is 70%, you will get an ; alert. cpu_usage=70 memory_usage=70 filesystem_size=70 ``` **Email alerts** Email alerts are sent based on the following event categories: * **System resource** – System resources are polled every 30 minutes to calculate usage. An email alert is sent if the value exceeds the defined threshold. The following system resources are monitored: * CPU: average CPU usage for a 30-minute interval * Memory: memory usage at the 30th minute * Filesystem: filesystem usage at the 30th minute * **Configuration** – When configuration changes occur, an email alert is sent for these events: * Adding or removing an API * Adding or deleting a server * Nodes of a cluster are UP or DOWN * **Decoy API**–When decoy APIs are accessed for the first time, an email alert is sent. The time between consecutive alerts is set using `decoy_alert_interval `in `ase.conf`. The default value is 180 minutes. For more information on decoy APIs, see [In-Context decoy APIs](pingintelligence_in_context_decoy_api.html). * **ASE-ABS log transfer and communication –**ASE sends an alert in the following two conditions: * **Access Log transfer failure** - When ASE is not able to send access log files to ABS for more than an hour, ASE sends an alert with the names of the log files. * **ASE-ABS communication failure** – When interruptions occur in ASE-ABS communication, an alert is sent identifying the error type. The email also mentions the current and total counter for the alert. The **current** counter lists the number of times that failure happened in last one hour. The **total** counter lists the total number of times that error has occurred since ASE was started. * ABS seed node resolve * ABS authentication * ABS config post * ABS cluster INFO * ABS service unavailable * Log upload * Duplicate log upload * Log file read * ABS node queue full * ABS node capacity low * ABS attack type fetch Following is a template for alerts: ``` Event: Value: When: Where: ``` For example, ``` Event : high memory usage Value : 82.19% When : 2019-May-16 18:30:00 PST Where : vortex-132 ``` **Alerts logged in log file**: Following is a list of all the alerts that are logged in `controller.log` file when email alerts are disabled (`enable_email=false`) in `ase.conf` file. * High CPU use * High memory use * High filesystem use * Adding API to ASE * Removing API from ASE * Updating and API * Adding a backend server * Removing a backend server * ASE cluster node available * ASE cluster node unavailable * Backend server state changed to UP * Backend server state changed to DOWN * Log upload service failure * Error while uploading file * Invalid ASE license file * Expired ASE license file ## Email reports **Email reports** ASE sends reports at a frequency in number of days configured in `ase.conf` file. The report is sent at midnight, 00:00:00 hours based on the local system time. The report contains the following: * Cluster name and location * Status information on each cluster node * Operating system, IP address, management port, and cluster port * Ports and the number of processes (PIDs) * Average CPU, memory utilization – average during 30-minute polling intervals * Disk usage and log size * Information on each API: Name, Protocol, and Server Pool Following is a template of weekly or daily email report: ``` Date: Sat, 29 Jun 2019 04:01:47 -0800 (PST) To: receiver@example.com From: sender@exmple.com Subject: API Security Enforcer Daily Reports Dear DevOps, Please find the daily report generated by ase2 at 2019-Jun-29 00:01:01 UTC. ============== Cluster Details ================= Cluster Name: pi_cluster Active Nodes: 2 Inactive nodes: 0 No of APIs: 7 LSM State: disabled Manual IOC: 0 Automated IOC: 0 ================== Node 1 =================== Host Name: apx1 Management Port: 8010 Cluster Port: 8020 Status: Active Up Since: 2019-Jan-26 09:27:26 Operating System: Ubuntu 14.04.4 LTS CPU Usage: 55.80% Memory Usage: 38.17% Filesystem Usage: 17.20% Log Size: 20 GB ================== Node 2 =================== Host Name : apx2 Management Port: 8010 Cluster Port: 8020 Status: Active Up Since: 2019-Jan-26 09:26:35 Operating System: Ubuntu 14.04.4 LTS CPU Usage: 55.79% Memory Usage: 38.17% Filesystem Usage: 17.20% Log Size: 20 GB ============================================= ================= API Details ================== API ID: https-app Status: loaded Protocol: https decoy: in-context Active Servers: 172.17.0.8:2800 172.17.0.7:2700 Inactive Servers: ============================================= API ID: http-app Status: loaded Protocol: http decoy: in-context Active Servers: 172.17.0.7:2100 172.17.0.8:2300 172.17.0.7:2700 Inactive Servers: ============================================= Best, API Security Enforcer ``` **Decoy API access reports**: ASE sends decoy API access report at a 3-hour interval by default. You can configure this time interval in minutes in ase.conf file by configuring `decoy_alert_interval` variable. ASE sends the report only if the decoy API is accessed during the configured time interval. The report provides the following details: * The start time when the decoy API was first accessed and the end time when it was last accessed * The ASE cluster name * The total number of requests for decoy API in the ASE cluster * The host name of the ASE where the decoy API was accessed Following is a sample email template for decoy API: ``` Date: Sat, 29 Jun 2019 04:01:47 -0800 (PST) To: receiver@example.com From: sender@exmple.com Subject: API Security Enforcer Decoy Access Reports Dear DevOps, Please find the decoy report generated by ase2 at 2019-Jun-29 12:01:45 UTC. The default location for the decoy log files is in the directory: /opt/pingidentity/ase/logs/ ============== Decoy Summary ================= Cluster Name: pi_cluster Start Time: 2019-Jun-29 09:00:00 End Time: 2019-Jun-29 12:00:00 Total Requests: 875 ================== Node 1 =================== Host Name: ase2 Total Requests: 428 ================== Node 1 =================== Host Name: ase Total Requests: 447 Best, API Security Enforcer ```