Creating event rules
You can configure rules to monitor specific events. Rules make it easier to monitor many events generated across your NetScaler infrastructure.
You can filter a set of events by configuring rules with specific conditions and assigning actions to the rules. When the events generated meet the filter criteria in the rule, the action associated with the rule is executed. The conditions for which you can create filters are: severity, NetScaler instances, category, failure objects, configuration commands, and messages.
You can assign the following actions to the events:
Send e-mail Action: Send an email for the events that match the filter criteria.
Send Trap Action: Send or forward SNMP traps to an external trap destination
Send SMS Action: Send a Short Message Service (SMS) message for each event that matches the filter criteria.
Run Command Action: Run a command when an incoming event meets the configured rule.
Execute Job Action: Execute a job is for events that match the filter criteria that you’ve specified.
Suppress Action: Suppresses drop an event for a specific time period.
You can also have notifications resent at a specified interval until an event is cleared. And you can customize the email with a specific subject line, user message, or attachment.
For example, as an administrator, you can:
Monitor “high CPU usage” events for specific NetScaler instances. Such events might lead to an outage of your NetScaler instances.
Create a rule to monitor the instances, and specify an action that sends you an email notification for “high CPU usage” category events.
Schedule the rule to run at a specific time, such as between 11 AM to 11 PM. Such schedules ensure that you are not notified every time an event is generated.
Configuring an event rule involves the following tasks:
Step 1 - Defining an event rule
Navigate to Networks > Events > Rules, and click Add. If you want to enable your rule, select the Enable Rule check box.
You can set the Event Age option to specify the time interval (in seconds) after which NetScaler MAS refreshes an event rule.
Based on the earlier example, you can get email notifications every time your NetScaler instance has a “high CPU usage” event for 15 seconds or longer. You can set the event age as 15 seconds, so that every time your NetScaler instance has a “high CPU usage” event for 15 seconds or more, you receive an email notification with details of the event.
You can also filter event rules by Device Family to track the NetScaler instance from which NetScaler MAS receives an event.
Step 2 - Choosing the severity of the event
You can create event rules that use the default severity settings. Severity specifies the current severity of the events you which you want to add the event rule.
You can define the following levels of severity: Critical, Major, Minor, Warning, Clear, and Information.
You can configure severity for both generic and enterprise-specific events. To modify event severity for NetScaler instances managed on NetScaler MAS, navigate to Networks > Events > Event Settings. Choose the Category for which you want to configure event severity and click Configure Severity. Assign a new severity level and click OK.
Step 3 - Specifying the event category
You can specify the category or categories of the events generated by your NetScaler instances. All categories are created on NetScaler instances. These categories are then mapped with NetScaler MAS that can be used to define event rules. Select the category you want to consider and move it from the Available table to the Configured table.
In the example above, choose “cpuUsageHigh” as the event category from the table displayed.
Step 4 - Specifying NetScaler instances
Select the IP addresses of the NetScaler instances for which you want to define the event rule. In the Instances section, click Select Instances. In the Select Instances page, choose your instances, and click Select.
Step 5 - Selecting failure objects
You can either select a failure object from the menu provided or add a failure object for which an event has been generated. Failure objects are entity instances or counters for which an event has been generated.
The failure object affects the way an event is processed and ensures that the failure object reflects the exact problem as notified. This notification can be used to track down problems quickly and to identify the reason for failure, instead of simply reporting raw events. For example, if a user has login issues, then the failure object here is the user name or password, such as “nsroot.”
This list can contain counter names for all threshold‐related events; entity names for all entity‐related events; certificate names for certificate‐related events, and so on.
Step 6 - Specifying more filters
You can further filter an event rule by:
Configuration Commands - You can specify the complete configuration command, or specify the description pattern within asterisk (*) to filter the events. In addition to the command, you can choose to further filter the event rule by the command’s authentication status and/ or its execution status. For example, for a NetscalerConfigChange event, type *bind system global policy_name*.
Messages - You can specify the complete message description, or specify the description pattern within asterisk (*) to filter the events.
For example, for a NetscalerConfigChange event, type *ns_client_ipaddress :10.102.126.250*.
Step 7 - Adding event rule actions
You can add event rule actions to assign notification actions for an event. These notifications are sent or performed when an event meets the defined filter criteria that you’ve set. You can add the following event actions:
Send email Action
Send Trap Action
Send SMS Action
Run Command Action
Execute Job Action
To set email Event Rule Action:
When you choose the Send e-mail Action event action type, an email is triggered when the events meet the defined filter criteria. You can either create an email distribution list or select an existing email distribution list. You can create an email distribution list by providing the mail server or mail profile details.
You can also add a customized subject line and user message, and upload an attachment to your email when an incoming event matches the configured rule.
Using this option, you can also ensure that all critical events are addressed and no important email notifications are missed, by selecting the Repeat Email Notification until the event is cleared check box to send repeated email notifications for event rules that meet the criteria you’ve selected. For example, if you’ve created an event rule for instances that involve disk failures, and you want to be notified until the issue is resolved, you can opt to receive repeated email notifications about those events.
To set Trap Event Rule Action:
When you choose the Send Trap Action event action type, SNMP traps are sent or forwarded to an external trap destination. You can define a trap distribution list (or a trap destination and trap profile details. When events meet the defined filter criteria, the trap messages are sent to the trap listeners specified in the distribution list.
To set SMS Event Rule Action:
When you choose the Send SMS Action event action type, a Short Message Service (SMS) message for each event that matches the filter criteria. You need to either create an SMS distribution list by providing the SMS server or SMS profile details or you can select an SMS distribution list that you’ve previously created.
To set the Run Command Action:
When you choose the Run Command Action event action, you can create a command or a script that can be executed on NetScaler MAS for events matching a particular filter criterion. For example, if an event of “Critical” severity is raised when there is a configuration change on a managed instance, you can run a command script.
You can also, set the following parameters for the Run Command Action script:
|$source||This parameter corresponds to the source IP address of the received event.|
|$category||This parameter corresponds to the type of traps defined under category of the filter.|
|$entity||This parameter corresponds to the entity instances or counters for which an event has been generated. It can include the counter names for all threshold-related events, entity names for all entity-related events, and certificate names for all certificate-related events.|
|$severity||This parameter corresponds to the severity of the event.|
|$failureobj||The failure object affects the way an event is processed and ensures that the failure object reflects the exact problem as notified. This result can be used to track down problems quickly and to identify the reason for failure, instead of simply reporting raw events.|
During command execution, these parameters are replaced with actual values.
To configure the “Run Command Action” event action on NetScaler MAS:
Under Event Rule Actions, click Add Action and select Run Command Action from the Action Type menu.
On the Create Command Distribution List page, specify a profile name and the command to be run. This command is executed when the events meet the defined filter criteria.
You can enable the Append Output and Append Errors options if you want to store the output and errors generated (if any) when you run a command script in the NetScaler MAS server log files. If you do not enable these options, NetScaler MAS discards all outputs and errors generated while running the command script.
To set the Execute Job Action:
By creating a profile with configuration jobs, a job is executed as a built-in job or a custom job for NetScaler, NetScaler SDX, and NetScaler SD-WAN WO instances, for events and alarms that match the filter criteria you’ve specified.
Under Event Rule Actions, click Add Action and select Execute Job Action from the Action Type menu.
Create a profile with a job you want run when the events meet the defined filter criteria.
While creating a job, specify a profile name, the instance type, the configuration template, and the action you’d like to perform if the commands on the job fail.
Based on the instance type selected and the configuration template chosen, specify your variables values and click Finish to create the job.
To set the Suppress Action:
When you choose the Suppress Action event action, you can configure a time period, in minutes, for which an event is suppressed or dropped. You can suppress the event for a minimum of 1 minute.
Your event rule is now created with appropriate filters and well defined event rule actions.