Traffic visibility drop alerting
Details for system health checks related to traffic visibility changes in your environment and how to be alerted on them when visibility drops for IP counts, bandwidth, and packet counts are critical.
Overview
Starting in the v9.11 release, Brain appliances will monitor three metrics for abnormality:
The number of observed IP addresses - Aggregate for entire deployment
The observed traffic bandwidth (per Sensor)
The observed packet counts (per Sensor)
For each of these metrics, the system will collect data, determine a baseline, and create a system health alert when it is determined that any of these metrics have crossed a critical threshold. The exact cause will not be known to the system but it is likely a situation where an external network event (e.g. switch reconfiguration) has caused a reduction in network observability.
Please Note:
For the initial v9.11 release, this monitoring will be live but notifications will be disabled. Vectra will release this feature progressively over the course of the v9.11 release and invites customer feedback for efficacy and accuracy through your normal support channels.
Vectra expects a high correlation between losses in network observability and the system health alerts related to traffic visibility drops, and advises customers receiving these notifications that they investigate their network traffic monitoring to determine what event(s) may have caused a loss in visibility.
Alerts can be received by email, webhook, retrieved via API call, or received via Syslog (QUX deployments only).
Alerting Configuration
Traffic visibility drop alerts are a sub category of system health alerts and if you are receiving system health alerts by any supported method, you will receive these traffic visibility drop alerts. An alert is created when a metric becomes critical and when the metric returns to normal.
System health alerts notification methods:
Email notification: Please see System alerts for details.
Webhook notification: Please see External app alerts (webhook) for details.
Please Note:
For Webhook notifications, an alert will be sent when a metric becomes critical, but there will be no alert sent when the metric returns to normal. This is expected behavior and is not cause for alarm.
API:
Perform a
GETagainst the/events/healthendpointExample URL: https://VECTRA_PORTAL_URL/api/v3.4/events/health/
RUX API details please see https://apidocs.vectra.ai
Example URL:
https://VECTRA_PORTAL_URL/api/v3.4/events/health
QUX API details please see v2.5 API guide (QUX)
Example URL:
http://your_QUX_URL_or_IP//api/v2.5/events/health
Syslog (for QUX deployments only): Please see the Syslog Guide (QUX)
Metric Thresholds
There are no specific thresholds shared because the system calculates what is normal for each system automatically.
Customers with extremely noisy traffic graphs (wide fluctuations vs predictable patterns) or very low bandwidth may create alerts when not desired or fail to create alerts when desired. If this happens in your deployment, please open a support ticket. There are some underlying parameters that Vectra can alter to attempt to optimize for your deployment that the system may not be able to calculate automatically.
Example Alert Messages
Below are some example email alert messages for a system crossing the critical threshold for observed IPs and another message for when the observed IP count returns to normal.
Alerts for other visibility drops (bandwidth, packet counts) would look similar. Alerts through other channels such as Webhook, API, or syslog (QUX only) would also contain similar language.
Last updated
Was this helpful?