Creating TCP SMTP Monitor Rules

The following section provides instructions on how to create a typical TCP SMTP Rule.

TCP SMTP Monitor specific criteria fields

When adding criteria the following pages and fields are specific to the TCP SMTP Monitor.

SMTP Server Parameters section

The fields in this section define the SMTP Server configuration parameters.

Host /Address

Enter the Host name or IP Address of the SMTP Server to be used in this rule. This is set to the localhost 127.0.0.1 by default.

Port Number

Select the Port Number on which the SMTP connection is made. The default setting is 25.

Timeout

Specify the timeout, in milliseconds, after which an SMTP connection to the specified server is deemed unsuccessful. The default setting is 5000 milliseconds.

SMTP Command section

The fields in this section specify the SMTP command to use and the expected response.

Command

Enter the Command to be sent to the SMTP server. The default setting is HELO. The HELO command is simply used to identify yourself to the SMTP server.

Response

Enter the expected response from the server using a comparator (equals, greater then, and so on) and a value. If the response is matched when the rule is running, an alert is generated. The default setting for this parameter is 'Not Equal' to '250'. Therefore, any response other than 250 from the SMTP server generates an alert. Other comparators and response values can be used if required.

Criteria Alert Details section

Fields in this section define alert settings that override the settings made on the Alert page at Rule level. This provides a more criteria specific alert message to be generated.

Override Rule Default

Click Override Rule Default to specify that the entries on this page override the default Alert page settings at Rule level. From the drop-down menu, select the alert warning level.

Alert Text

Enter the actual text of the alert or use the available Substitution Variables to construct the message text of the alert.

TIP: When Substitution Variables are used, click to display a list of textual and numeric parameters that can be used to amend the actual Substitution Variable value.
Alert Example
Displays an example of how the Alert Text will read using the selected Substitution Variables and user-entered text.

Firewall Settings section

This section contains fields that enable and then specify the parameters required for the use of a firewall proxy with the SMTP server.

Enable Firewall Proxy

Click to enable the use of a Firewall Proxy when connecting to the SMTP server.

Host /Address

Enter the Host name or IP Address of the Firewall Proxy to be used in this rule.

Port Number

Select the Port Number on which the connection to the Firewall Proxy is made. The default setting is 25.

Firewall Proxy Type

From the drop-down menu, select the type of firewall proxy used. Select from:

  • None: No firewall proxy is used.
  • Tunneling: In this mechanism, the client asks a proxy server to forward the TCP connection to the desired destination. The server then proceeds to make the connection on behalf of the client.
  • SOCKS4: SOCKS uses a handshake protocol to inform the proxy software about the connection that the client is trying to make, and then acts as transparently as possible.
  • SOCKS5: An extension of the SOCKS4 protocol offering more choices for authentication and adding support for IPv6 and UDP, the latter of which can be used for DNS lookups.
User Name

If the firewall proxy requires authentication, enter a valid user name.

Password

If a user name has been entered, enter the associated password in this field.

SLA Statistic section

Fields in this section are used to indicate that the criteria for this rule are used to determine performance against Service Level Agreements (SLA).

SLA Statistic

Click the SLA Statistic field so that it is enabled. The SLA flag is measured against the specific criteria defined for this rule.

TIP: If multiple SLA flags are being set for different criteria and/or monitors, we recommend that a Send Enterprise Console alert action is created to determine which of the SLA criteria has failed.
NOTE: SLA Statistic checking is not affected by the suspension of the rule, (SLA data is still gathered even if the rule is suspended) but is dependent on the time period when the rule is active (SLA data is not gathered outside the times when the rule is active).

 

We recommend that when creating SLA flags within rules, that all SLA criteria are kept together in the same rule that use the ‘Perform Actions For Each Criteria That Triggers option, otherwise SLA failures may or may not be indicated correctly.

 

System performance against the specified SLA flags can then be viewed on the SLA Statistics report (automatically included as a Report Template within Advanced Reporting Suite) for this system.

Source Device section

These fields in this section allow to you override the source device. This means that for any alerts raised by this rule criteria, the Device for the alert is shown as the selected ‘Override Source Device’ rather than the Device that actually performed the check.

Override Source Device

Click to enable the override source device functionality.

Source Device

From the drop-down list, select the device to be used as the source device for any alerts raised by this rule criteria. The device must already exist in Device Manager

Auto-Close Options section

These fields determine if the auto-closing of Enterprise Console Alerts is required and if so, the delay invoked before the auto-close becomes effective.

Auto-Close Enterprise Console Alerts

Click this option to automatically close any alerts sent to the Enterprise Console by this rule. When the rule is checked, if the criteria selection would not currently result in an alert and there are previously raised outstanding alerts in existence, the existing alerts are closed either immediately or after the specified Delay By period if the criteria is still not triggering.

EXAMPLE:  

• A CPU rule has criteria to alert if the CPU % Processor Time is above 75%.

• It also has Auto-Close specified to Auto-Close Enterprise Console Alerts with a Delay period of 5 minutes.

 

The rule criteria is checked and triggers as the CPU is above 75%. An alert is sent to the Enterprise Console. At the next check interval, including any time for which the rule is suspended, the rule criteria is checked again and the CPU is below the required threshold. As the criteria has auto-close specified, the outstanding alert is tagged to be automatically closed five minutes later.

 

The rule criteria continues to be checked and if the CPU does not cause any further triggers, the existing alert is closed at the tagged auto-close time.

Delay By

If the Auto-Close Enterprise Console Alerts option is enabled, specify the delay time period after which the alert is automatically closed providing the criteria has not triggered again in the next check interval. The time period can be specified in Minutes, Hours or Days.

Related Topics