PingIntelligence

Email alerts

When you configure alerts, they use the following template:

Event:  <the type of event>
Value:  <the specific trigger for the event>
When:  <the date and time of the event>
Where:  <the IP address or hostname of the server where the event occurred>

The following is an example alert you might receive:

Event : high memory usage
Value : 82.19%
When : 2019-May-16 18:30:00 PST
Where : vortex-132

Email alerts are sent based on the following event categories:

System resource

System resources are polled every 30 minutes to calculate usage. An email alert is sent if the value exceeds the defined threshold.The following system resources are monitored:

CPU

Average CPU usage for a 30 minute interval.

Memory

Memory usage at the 30th minute.

Filesystem

Filesystem usage at the 30th minute.

Configuration

When configuration changes occur, an email alert is sent for these events:

  • Adding or removing an API

  • Adding or deleting a server

  • Nodes of a cluster are UP or DOWN

Decoy API

When decoy APIs are accessed for the first time, an email alert is sent. The time between consecutive alerts is set using decoy_alert_interval in the ase.conf file. The default value is 180 minutes.

For more information on decoy APIs, see In-Context decoy APIs.
ASE-ABS log transfer and communication

ASE sends an alert in the following two conditions:

Access Log transfer failure

When ASE is unable to send access log files to API Behavioral Security (ABS) for more than an hour, ASE sends an alert with the names of the log files.

ASE-ABS communication failure

When interruptions occur in ASE-ABS communication, an alert is sent identifying the error type. The email also mentions the current and total counter for the alert. The current counter lists the number of times that failure happened in the last hour. The total counter lists the total number of times that error has occurred since ASE was started.

  • ABS seed node resolve

  • ABS authentication

  • ABS config post

  • ABS cluster INFO

  • ABS service unavailable

  • Log upload

  • Duplicate log upload

  • Log file read

  • ABS node queue full

  • ABS node capacity low

  • ABS attack type fetch

The following alerts are logged in the controller.log file when email alerts are disabled (enable_email=false) in the ase.conf file:

  • High CPU use

  • High memory use

  • High filesystem use

  • Adding API to ASE

  • Removing API from ASE

  • Updating and API

  • Adding a backend server

  • Removing a backend server

  • ASE cluster node available

  • ASE cluster node unavailable

  • Backend server state changed to UP

  • Backend server state changed to DOWN

  • Log upload service failure

  • Error while uploading file

  • Invalid ASE license file

  • Expired ASE license file