Notification
Overview
Notifications determine how you want FireScope SPM to react when an Event, Aggregate Event, or Policy violation occurs. Two types of notifications are available to you—send a message to one user or a user group or run a remote command. You are also provided with filters to customize which Event(s) will generate a specific Notification.
Sending a Message
FireScope SPM can notify users by email, SMS, or even Instant Message when an Event occurs, and it’s distinguished by its flexibility with whether or not an Event should trigger an alert. Use filters if you want to send a Notification only when a specific event definition matches the criteria(s). One of the most common scenarios is filtering on severity, wherein you can configure FireScope SPM to generate a Notification only when an Event with High or Major severity occurs. This also has the benefit of being broad enough so that you only need a few Notifications configured to cover all current and future events. However, for this approach to work best, ensure that all Events are configured with an appropriate severity.
The type of message a user receives—email, SMS, or instant—depends on the Contact Media defined for the user in the user administration section of FireScope SPM.
Running a Command
If an Event occurs, such as a service is unresponsive or drive space becomes too low, FireScope SPM can execute commands directly in the system to begin remediation. Use the Remote command Operation Type and enter the command in the form Host:Command, where Host is the CI the command should be executed on. You can use {Hostname} as a wildcard to execute the command on whichever system the Event was identified on. You can even execute a command on every system in a Logical Group by using Group#Command, where Group is the Logical Group you want the command executed on. Common examples for the command include ‘IISReset’ to restart Internet Information Server, or ‘myscript.sh’ to run a shell script. The FireScope Agent must be installed on the system to enable this capability.
Overview
For an overview of current Notifications, click Service Management > Events > Notifications. The Notifications page with default listing representing the most recent notifications sent due to matching events. You can use the inline grid filters to search for previous notifications. It is important to point out that some filter methods in notifications (such as description matches) can potentially match multiple events. The “Event Source will indicate which event caused this notification.
Create Notifications
To create a Notification, complete the following steps:
- Log in to FireScope SPM.
- Click on Configuration > Evaluation > Notification. Notification page will be displayed.
- Click the Create button. Create Notification page will be displayed.
- Name: Enter a descriptive name for the notification.
- Settings:
- Filter: Set filters on all occurring events to initiate this notification procedure. If EVERY condition must be met before performing this action, select AND.
Otherwise, select OR. Add filters by completing the following steps:- Click the New button The New Filter section will be displayed.
- Select and define a filter type from the drop down list.
Note: For complete descriptions of all available filters, see the Table 1 below in the Field and Macro Descriptions section. - Click on Add Filter button.
- You can add multiple filters. Filter Logic section will be displayed if multiple filters are added.
- In the Filter Logic section, select either AND or OR:
Note: If you want the event to meet all the filter criteria, select AND. If you want the event to meet only one of the filter criteria, select OR.
- Click the New button The New Filter section will be displayed.
- Procedure: The procedures taken when events satisfy the preset filters. You can choose to send messages to individual users or an entire user group.
Add Procedure by completing the following steps:
Note: Add procedures to dictate what kind of notification you want to receive if the event meets your filter criteria.- Click on the New button the New Procedure section will be displayed.
- Select Operation Type from the drop down list then complete the details.
Note: For complete descriptions of all fields, see the Table 2 below in the Field and Macro Descriptions section. - Click on the Add Procedure button.
- Click on the New button the New Procedure section will be displayed.
- Filter: Set filters on all occurring events to initiate this notification procedure. If EVERY condition must be met before performing this action, select AND.
- Select Enabled from Status list.
- Click on the Save button.
Field Descriptions
The following tables describe the fields and macros available to you when you create and edit notifications.
Table 1—Field descriptions for new Filters
| Filter Type | Operators | Available Values | Description |
| Logical Group | = <> |
All currently defined logical groups | Filters according to a selected logical group. To choose a logical group: Click Select. In the dialog box, click the name of the desired logical group. Verify that the filter value populates with your selected group. |
| Configuration Item | = <> |
All currently defined configuration items |
Filters according to a selected configuration item. To choose a configuration item: Click Select. In the dialog box, filter the list of CIs if needed. Click the name of the desired CI. Verify that the filter value populates with your selected CI. |
| Event Definition (ED) | = <> |
All currently defined EDs | Filters according to a selected event definition. To choose an event definition: Click Select. In the dialog box, filter the list if needed. Click the name of the desired ED (second column). Verify that the filter value populates with your selected ED. |
| Aggregate Event Definition (AED) | = <> |
All currently defined AEDs | Filters according to a selected aggregate event definition. To choose an aggregate event definition: Click Select. In the dialog box, filter the list if needed. Click the name of the desired AED (second column). Verify that the filter value populates with your selected AED. |
| Policy (POL) | = <> |
All currently defined policies | Filters according to a selected policy. To choose a policy Click Select. In the dialog box, filter the list if needed. Click the name of the desired policy (second column). Verify that the New Filter value populates with your selected policy. |
| ED/AED/POL Name | Like Not Like |
User-provided string | Searches the names of all event definitions, aggregate event definitions, and policies, and filters according to the string of characters entered by the user. To search and filter by name, in the blank value field, enter the word or phrase you wish to filter by. Does not allow wild cards. |
| Event Definition Name | Like | User-provided string | Searches the names of all event definitions, and filters according to the string of characters entered by the user. To search and filter by name, in the blank value field, enter the word or phrase you wish to filter by. Does not allow wild cards. |
| Aggregate Event Definition Name | Like | User-provided string | Searches the names of all aggregate event definitions, and filters according to the string of characters entered by the user. To search and filter by name, in the blank value field, enter the word or phrase you wish to filter by. Does not allow wild cards. |
| Policy Name | Like | User-provided string | Searches the names of all policies, and filters according to the string of characters entered by the user. To search and filter by name, in the blank value field, enter the word or phrase you wish to filter by. Does not allow wild cards. |
| ED/AED/POL Severity | = <> >= <= |
Not Classified Information Average Warning High Major |
Filters according to the failure severity of all event definitions, aggregate event definitions, and policies. To choose a severity level, click to select from the provided list. |
| ED/AED/POL Value | = | OK Failed |
Filters all event definitions, aggregate event definitions, and policies according to a status of “OK’ or “Failed.” To choose a status, click to select from the provided list. |
| Time Period | Between Not Between |
Notifications are sent for all the EDs, AEDs or Policies within a specified Time period. |
Table 2—Field description for new Procedures
| Field | Description |
| Operation Type is “Send Message” | |
| Send message to | Choose either to send to a single FireScope SPM user or a user group. |
| Group or User | Click Select button to choose the specific user or group to whom to send this message. |
| Send Escalation Email | If the event is not acknowledged within the defined escalation period, sends an escalated message to an additional user. This is an optional field. Click Select button to choose the specific user. Only one user may be defined in this field. Note: If the user had more than one email address, the escalation email will be sent to the first in list. To change the Escalation Period, you must be an administrator user and have access to the Administration menu option. |
| Subject | Enter the subject for the email message. You can use macro variables in this field. |
| Message | Enter the body of the email. You can use macro variables to customize the message received. See the following Table 4 for a list of available macro variable definitions. |
| Operation Type is “Remote Command” | |
| Remote Command | Syntax of remote commands: <ci>:<command> Command will be executed on this CI.<group>#<command> Command will be executed on all CIs in this logical group.For Remote Commands to work, the FireScope Agent must be installed on the CI, and the user account for the agent must have appropriate permissions to execute the commands. |