System Alerting
If system alerting is enabled in the Administration ‣ Configuration ‣ System alerting dialog, the following system operations and services will be monitored. Syslog notifications are sent when any of the services or operations meets the condition(s) defined in the table.
| SYSTEM OPERATION OR SERVICE | NOTIFICATION TRIGGER |
|---|---|
| RAM | usage is over 90% for 10 minutes |
| CPU | usage is over 40% for 2 minutes |
| CPU wait (waiting for IO) | over 20% for 2 minutes |
| Disk usage | over 90% for 10 minutes |
| UWSGI service | down for 2 minutes |
| NGINX service | down for 2 minutes |
| RABBIT-MQ service | down for 2 minutes |
| POSTGRES service | down for 2 minutes |
| MEMCACHED service | down for 2 minutes |
| CROND service | down for 2 minutes |
| SSHD service | down for 2 minutes |
| SUPERVISORD service | down for 2 minutes |
| SMTP | if enabled, but stopped for 4 minutes |
| NTPD | if enabled, but stopped for 4 minutes |
| Any of the SUPERVISORD services | if it has crashed |
| SCALE socket | not detected/does not exist for 4 minutes |
| SCALE INPUT queue | receiving over 500 messages for 10 minutes |
| SCALE RETRY queue | receiving over 100 messages for 10 minutes |
| COLLECTOR queue | receiving over 1000 messages for 10 minutes |
| CLASSIFICATION queue | receiving over 5000 messages for 10 minutes |
Connector Alerts
When Connectors are configured and running, CEF messages for supported events are sent to syslog if system alerting is properly configured on the appliance.
Most alerts are shared between connectors, but there are some connector-specific messages. For the full list of all supported CEF event fields, refer to the table below.
note
Threat detection CEF messages are sent only when the Enable automatic file sorting option is selected in the connector configuration dialog.
CEF event formatting schema
CEF:0|{device.vendor}|{device.name}|{device.version}|{signature.id}|{name}|{severity}|
csxLabel={label.value} csx={field.value}
CEF event fields
| Signature IDs | CEF event field | Description | Supported connectors |
|---|---|---|---|
| Threat detection | cs1Label | cs1 field label. Always equals classification | Network File Share, AbuseBox, S3 |
| Threat detection | cs1 | File classification status (malicious, suspicious, goodware, unknown) | Network File Share, AbuseBox, S3 |
| Threat detection | cs2label | cs2 field label. Always equals detectionName | Network File Share, AbuseBox, S3 |
| Threat detection | cs2 | The detected threat name, formatted according to the ReversingLabs Malware Naming Standard. | Network File Share, AbuseBox, S3 |
| Threat detection | cs3label | cs3 field label. Always equals detectionReason | Network File Share, AbuseBox, S3 |
| Threat detection | cs3 | The appliance that analyzed and classified the file. Possible values are A1000, TitaniumScale | Network File Share, AbuseBox, S3 |
| connector_health | cs4Label | cs4 field label. Always equals app_health | Network File Share, AbuseBox, S3 |
| connector_health | cs4 | Sent if there are any errors or performance issues with the connector or the appliance. Always equals FAILED | Network File Share, AbuseBox, S3 |
| connector_mount_success, connector_mount_failure | cs5Label | cs5 field label. Always equals mount | Network File Share |
| connector_mount_success, connector_mount_failure | cs5 | Sent on network resource mount events. Possible values are SUCCESS for connector_mount_success and FAILED for connector_mount_failure. | Network File Share |
| connector_read | cs6Label | cs6 field label. Always equals file_read | Network File Share, AbuseBox, S3 |
| connector_read | cs6 | Sent when the connector fails to read the file from the connected storage/mail account. Always equals FAILED | Network File Share, AbuseBox, S3 |
| connector_upload | cs7Label | cs7 field label. Always equals analysis | Network File Share, AbuseBox, S3 |
| connector_upload | cs7 | Sent when files fail to upload to the appliance for analysis. Always equals FAILED | Network File Share, AbuseBox, S3 |
| connector_move_files | cs8Label | cs8 field label. Always equals file_moving | Network File Share, S3 |
| connector_move_files | cs8 | If advanced file sorting is enabled for the connector, this event is sent for each file move. Possible values are FAILED, SUCCESS | Network File Share, S3 |
| connector_unmount_success, connector_unmount_failure | cs9Label | cs9 field label for connector unmount events. Always equals unmount | Network File Share |
| connector_unmount_success, connector_unmount_failure | cs9 | Shows the network resource unmount status. Possible values are SUCCESS for connector_unmount_success and FAILED for connector_unmount_failure. | Network File Share |
| Threat detection, connector_move_files, connector_upload, connector_read | cs9Label | cs9 field label for events related to file operations. Always equals fileName | Network File Share, S3 |
| Threat detection, connector_move_files, connector_upload, connector_read | cs9 | Shows the name of the file related to the specific event | Network File Share, S3 |
| connector_unmount_success, connector_unmount_failure | cs10Label | cs10 field label. Always equals mountAddress | Network File Share |
| All event types except Threat detection | cs10 | The address of the network resource | Network File Share |
| connector_email_fetch_failure, connector_email_fetch_success | cs11Label | cs11 field label. Always equals email_fetch | AbuseBox |
| connector_email_fetch_failure, connector_email_fetch_success | cs11 | Sent when the connector fails/succeeds in downloading an email message from the connected email account to the appliance. Always equals FAILED for connector_email_fetch_failure and SUCCESS for connector_email_fetch_success | AbuseBox |
| connector_email_fetch_failure, connector_email_fetch_success | cs12Label | cs12 field label. Always equals exchangeServer | AbuseBox |
| connector_email_fetch_failure, connector_email_fetch_success | cs12 | The address of the Exchange server (without the protocol scheme) from which the connector is attempting to retrieve email. | AbuseBox |
| connector_email_fetch_failure | cs13Label | cs13 field label. Always equals failure_reason | AbuseBox |
| connector_email_fetch_failure | cs13 | The reason why email failed to download. Possible values are:connection error, non_existing_smtp_address,authentication_error, non_existing_inbox_folder,disk_threshold_reached | AbuseBox |
| connector_move_files | cs14Label | cs14 field label. Always equals destination | AbuseBox |
| connector_move_files | cs14 | If advanced file sorting is enabled for the connector, this is the destination where the file was moved during processing. | Network File Share, S3 |
| All CEF messages except those that already contain the mountAddress field | cs15Label | cs15 field label. Always equals sourceAddress | Network File Share, S3 |
| All CEF messages except those that already contain the mountAddress field | cs15 | The address of the file source (for example a network file share, or an S3 bucket) | Network File Share, S3 |
Examples
-
Success mounting a network drive (Network File Share)
CEF:0|ReversingLabs|TitaniumCore|3.9.3.0|connector_mount_success|connector_mount_success|0|
cs5Label=mount cs5=SUCCESS -
Failure reading files from a network drive (Network File Share)
CEF:0|ReversingLabs|TitaniumCore|3.9.3.0|connector_read|connector_read|10|cs6Label=file_read
cs6=FAILED cs9Label=fileName cs9=/mnt/incoming/installer.msi -
Threat detection for files uploaded from a network drive (Network File Share)
CEF:0|ReversingLabs|TitaniumCore|3.9.3.0|detection|Threat detection|10|fileHash=93f5a83b850becd35f12fca8acs907ead
cs2Label=classification cs2=malicious cs1Label=detectionName cs1=ByteCode-MSIL.Trojan.Genkryptik reason=cloud -
Success fetching email (AbuseBox)
CEF:0|ReversingLabs|A1000|5.11.0|connector_email_fetch_success|connector_email_fetch_success|0|
cs12Label=exchangeServer cs12=devops-exchange.exch.rl.lan cs11Label=email_fetch cs11=SUCCESS -
Failure fetching email (AbuseBox)
CEF:0|ReversingLabs|A1000|5.11.0|connector_email_fetch_failure|connector_email_fetch_failure|10|
cs13Label=failure_reason cs13=authentication_error cs12Label=exchangeServer cs12=devops-exchange.exch.rl.lan
cs11Label=email_fetch cs11=FAILED -
Connector/appliance in an unhealthy state (Network File Share, AbuseBox, S3)
CEF:0|ReversingLabs|A1000|5.11.0|connector_health|connector_health|10|cs4Label=app_health cs4=FAILED -
Failed file upload (Network File Share, AbuseBox, S3)
CEF:0|ReversingLabs|A1000|5.11.0|connector_upload|connector_upload|10|cs9Label=fileName cs9=application_windows.exe cs7Label=analysis cs7=FAILED -
Successful file move (Network File Share, S3)
CEF:0|ReversingLabs|A1000|5.10.8-1|connector_move_files|connector_move_files|0|cs9Label=fileName cs9=BavPro_Setup_GL.zip cs8Label=file_moving cs8=SUCCESS cs14Label=destination cs14=/Malicious/BavPro_Setup_GL.zip