System alerts

Review Vectra system health alerts for sensor connectivity, capture interfaces, disk health, bandwidth drops, and packet processing.

Vectra will send System Health Alerts for a variety of condition such as Sensor connectivity, capture interface health, or disk health.

Please Note:

The alerts you see on this page are not a comprehensive list and alerts can be added in the future.

For example, Traffic Validation alerts were added as a another category of system health alerts in v9.10.

It is a best practice to enable these alerts to monitor system health or monitor these alerts with the health API endpoint.
Further information on the general system health can be obtained from the command line using the command show system-health. Please see Monitoring the health of Vectra appliances for more details.

To enable system healt email alerts, go to Configuration → RESPONSE → Notifications and enable the setting to Send system alerts.

Please Note:

The source email for RUX system alerts is no-reply@vectra.ai.

System health alerts can send via webook to some apps. Please see External App Alerts (webhook) for details on webhook alerting.

Specific Alert Details

1. Disk Health : Disk read only check or RAID Failure

Contact Vectra Support immediately. If remote support is possible please turn this on. If not please be prepared for remote session with Vectra support to try to diagnose and resolve this issue as quickly as possible.

While the disk or raid is in bad state, traffic will not be captured on the device.

Remediation may required:

Disk replacement
Hardware replacement
Manual intervention by support

If hardware or disk replacement is required Vectra support will need the shipping details and address where to send the replacement disk or hardware.

Examples:

Disk volume(s) in read-only state on [Serial#]

When condition is no longer occurring:

"RAID volumes and disk OK on [Serial#]"

2. Interface Health : Capture interface flapping

Verify cable or SFP, re-seating or changing the cable or SFP may help.

Was there a scheduled change or event, has the connected switch rebooted?

This message indicates that the interfaces connected to the device were (and are no longer) flapping, this is usually due to wiring issues, switch issues or perhaps scheduled changes causing the switch to reboot. The beginning of the alert "No link flapping" indicates that the link flapping condition is no longer occurring.

If this is a frequent occurrence and verifying the physical connectivity did not resolve the issue please contact Vectra Support.

Examples:

Detected link flapping on capture interface(s) eth1, eth0 on [Serial#]

When condition is no longer occurring:

"No link flapping on capture interface(s) eth3, eth2, eth1, eth0 on [Serial#]"

3. Bandwidth Drop

This alert fires if there is extended period of no traffic for at least 48 hours.

Sensors that have very low bandwidth (<1 Mbps) typically receive these alerts more frequently due to the high variability in the observed bandwidth.

Please Note:

The specific alert logic can change at any time if Vectra decides to modify the threshold.

Logic at time of publication:

A drop is detected when traffic decreases from an average greater than 5 Mbps to less than 1 Mbps. The system generates a warning if the condition persists for less than 3 days, and escalates to critical on the third consecutive day.

Vectra has additional alerting called Traffic visibility drop alerting. Please see the linked article for details.

Examples:

Detected recent bandwidth drop on capture interface(s). This bandwidth drop has lasted over three days
When condition is no longer occurring:

"No recent bandwidth drop on capture interface(s)"

"CLIENT <serial>: CAPTURE INTERFACE RECEIVING TRAFFIC"

Before opening a support ticket:

Please verify that the alert conditions have been met. If confirmed, investigate the network environment to identify any anomalies. Note that traffic graphs in the Vectra console are intended for basic health checks and may not reflect long-term behavior captured by this alert. For long-term bandwidth monitoring or more detailed traffic analysis, consider using SNMP, NetFlow, or other monitoring tools available on upstream network devices (e.g., switch ports or TAP aggregation solutions).

4. Sensor connectivity

This alert occurs when a sensor lost connectivity for 7 days. The current threshold will avoid alerting during planned downtime, power outage or relocation of a sensor.

An initial physical and logical connectivity investigation should be performed and the required firewall rules should be validated. Please Vectra support as required.

Examples:

Lost connectivity to headend on {} sensor(s): [Serial#]

When condition is no longer occurring:

"All paired sensors connected to headend" or "Sensors/Stream have tunnel established on headend"

5. Packet processing drop check

This alert occurs when the packets dropped on the sensor reach above the threshold.

This may be an indication of an oversubscribed sensor or Brain. Please check with Vectra support if you receive such an alert.

Example:

Packet processing drops observed on " + serial

When condition is no longer occurring:

Packet processing is healthy on " + serial

Note: For Match System alerts, please refer to https://support.vectra.ai/s/article/KB-VS-1859

If your system is running on Respond UX, please refer to document at: https://support.vectra.ai/vectra/article/KB-VS-2665

PreviousSyslog and Kafka message size limits (QUX)NextSIEM

Last updated 1 day ago

Was this helpful?