Alerts
Overview
Built into SPR is an alerting mechanism. When an event arrives that matches an alert configuration, an alert can be presented as a Notification or stored into the Event Database as an alert to be resolved at a later time.
Viewing & Resolving Alerts
To see alerts stored in the database head over to the Alerts
page.
Alerts have a 'State' variable which is currently one of New
or Resolved
. Click the resolve or resolve all buttons to move
alert events to the Triaged state.
Add Alerts
The alert rules are a little bit complicated seeming at first but they are flexible and configurable. Check out the default templates to see how they are configured for different events, conditions and templates.
Alerts match an Event Prefix. In the example below, we match wifi:auth:success
events, triggered when a device connects to the wifi. Read more about built-in event here or navigate to Monitor->Events in the menu to list triggered events for your device.
We optionally copy the MAC address for the device and resolve this to a device name using a decorator in the alert body.
If you want to have the alert also show the interface, can specify this as alert body:
Authentication success for {{MAC#Device}} on interface {{Iface}}
and add Iface to fields or copy all of them.
Conditions
Click Add Condition Filter + to create field requirements beyond the event topic prefix. If Match All is set, then all conditions must match, otherwise just one. The conditions can also be logically inverted.
In the following screenshot, the Event Prefix is set to dns:serve:
, which is triggered when a client lookup a domain.
We add a condition that the domain should be "supernetworks.org." (extra dot for dns syntax), if its a match a info alert will show with the device and domain name.
The syntax used for the event matchings uses JSONPath. See https://jsonpath.com/ for details.
Use the selector for selecting fields. Regexp is supported, example: FirstName=~"^[0-9]+.[a-z]+.$"
to match numeric domains.
Event Templating
In addition to custom event matches, alert titles and bodies can be written as templates for what to render in the frontend.
In general, take the field to display and wrap it in curly brackets, for example: {{Ethernet.SrcMAC}}
.
Decorators
The event template also supports decorators. The following are supported: Device
, DeviceIcon
, DeviceName
, DeviceIP
, DeviceMAC
.
To apply a decorator follow up a field name with "#Decorator". This allows converting a MAC address to a device's known IP for example,
or rendering the assigned device icon for that device.
Here is an example template with decorators:
MAC IP Violation {{IP.SrcIP#Device}} {{IP.SrcIP}} {{Ethernet.SrcMAC}} to {{IP.DstIP}} {{Ethernet.DstMAC}}