To open the Notification Manager main
window, click Tools > Notification Manager.
The main window is divided in two sections. The Notification rules section in the top part of the
window contains a list of existing (either predefined or user
defined) rules. A rule in this section must be checked to generate
notification messages. By default, no notifications are enabled.
Therefore, we recommend checking whether your rules are active.
The functional buttons under the list of rules include
Save (save modifications to a rule),
Save as... (save modifications to a
rule with a new name), Delete,
Default (restore default settings for
selected trigger type), Refresh and
Default Rules (update the list with
default rules).
The Options section in the bottom half
of the window provides information about the currently selected
rule. All fields and options in this section are described using
the sample rule from chapter Rule creation.
In each rule, you can specify the criteria, known as
a Trigger, which activates the rule. The following triggers
are available:
·
|
Client State Rule will be run if
there is a problem on some of the clients |
·
|
Server State Rule will be run if
there is a problem on some of the servers |
·
|
Finished Task Event Rule will be
run after the specified task is finished |
·
|
New Client Event Rule will run if
there is a new client connecting to the server (including
replicated clients) |
·
|
New Log Event Rule will run if
there is the specified event found in some of the logs |
Based on the type of trigger other rule options can be activated
or deactivated, therefore we recommend to set the trigger type
first when creating new rules.
The Priority drop-down menu allows you
to set the rule priority. P1 is the
highest priority, P5 is the lowest
priority. Priority does not in any way affect the functionality of
rules. To assign priority to notification messages, the
%PRIORITY% variable can be used. Under
the Priority menu, there is a
Description field. We recommend that each
rule is given a meaningful description, such as rule that warns on detected infiltrations.
As soon as the system detects the trigger event for
a certain client or clients and finds a rule to be run,
the client filter is applied. The filter can be assigned to any
rules in which clients are involved; to enter the client filter
setup, click Edit in the Client filter section. In the window that opens,
define client filtering parameters. When a rule is applied,
only clients meeting the client filter criteria are taken into
consideration. The filtering criteria are:
·
|
FROM Primary Server Only clients
from primary server; (the negative NOT FROM can also be
applied) |
·
|
Primary Server IN Includes primary
server in the output |
·
|
HAS New Flag clients marked by the
flag New (the negative HAS NOT can
also be applied). |
·
|
ERA Groups IN Clients belonging to
the specified group |
·
|
Domain/Workgroup IN Clients
belonging to the specified domain |
·
|
Computer Name Mask Clients with the
specified computer name |
·
|
HAS IP Mask Clients falling into
the specified IP mask |
·
|
HAS IP Range Clients within the
specified IP address range |
·
|
HAS Defined Policy Clients with the
specified policy assigned (the negative HAS NOT can also be
applied). |
After you have specified a client filter for your
notification rule, click OK and proceed
to the rule parameters. Client parameters define what condition
a client or a group of clients must meet in order to run
the notification action. To view the available parameter, click the
Edit
button in the Parameters section.
The availability of parameters depends on the selected Trigger
type. The following is a complete list of parameters available by
Trigger type.
The following parameters are available for Client State
Triggers:
·
|
Protection Status Any Warnings Any
warning found in the Protection Status column |
·
|
Protection Status Critical Warnings
A critical warning found in the Protection Status column |
·
|
Virus Signature DB version Problem
with virus signature database (6 possible values) |
- Previous Virus signature database is one version
older than the current one
- Older
or N/A Virus signature database is more than one version
older than the current one
- Older
than 5 versions or N/A Virus signature database is more
than 5 versions older than the current one
- Older
than 10 versions or N/A Virus signature database is more
than 10 versions older than the current one
- Older
than 7 days or N/A Virus signature database is more than 7
days older than the current one
- Older
than 14 days or N/A Virus signature database is more than
14 days older than the current one
·
|
Last Connected Warning The last
connection was established before the specified time period |
·
|
Has Last Threat Event The Threat
column contains a threat warning |
·
|
Has Last Event The Last Event
column contains an entry |
·
|
Has Last Firewall Event The
Firewall Event column contains a firewall event entry |
·
|
Has New Flag Client has the New
flag |
·
|
Waiting For Restart Client is
waiting for restart |
·
|
Last Scan Found Threat On client,
the specified number of threats was found during the last scan |
·
|
Last Scan Not Cleaned Threat On
client, the specified number of uncleaned threats was found during
the last scan |
All parameters can be negated, but not all negations are usable.
It is only suitable to negate those parameters that include two
logical values: true and not true. For example,the parameter
Has New Flag only covers
clients with the New flag. The
negative parameter would include all clients that are not marked by
the flag.
All conditions above can be logically combined and inverted. The
drop-down menu for The rule
is applied when offers two choices:
·
|
all of the options are met Rule
will only run if all specified parameters
are met |
·
|
any of the options is met Rule will
run if at least one condition is met |
The following parameters are available for the Server State
Triggers:
·
|
Server updated Server is
up-to-date |
·
|
Server not updated Server is not
up-to-date for longer than specified |
·
|
Server logs The server log contains
the following entry types: |
- Errors Error messages
- Errors+Warnings Error messages and warning
messages
- Errors+Warnings+Info(Verbose) - Error, warning and
informative messages
- Filter log entries by type Enable this option to
specify error and warning entries to be watched in the server log.
Note that for notifications to work properly, the log verbosity
(Tools > Server Options >
Logging) must be set to the corresponding level. Otherwise
such notification rules would never find a trigger in the server
log. The following log entries are available:
ADSI_SYNCHRONIZE Active Directory
group synchronization
CLEANUP Server cleanup tasks
CREATEREPORT On-demand report
generating
DEINIT Server shutdown
INIT Server startup
INTERNAL 1 Internal server
message
INTERNAL 2 Internal server
message
LICENSE License administration
MAINTENANCE Server maintenance
tasks
NOTIFICATION Notification
management
PUSHINST Push install
RENAME Internal structure
renaming
REPLICATION Server replication
POLICY Policy management
POLICYRULES Policy rules
SCHEDREPORT Automatically generated
reports
SERVERMGR Internal server thread
management
SESSION Servers network
connections
SESSION_USERACTION - various user
actions
THREATSENSE ThreatSense.Net
statistical information submission
UPDATER Server update and mirror
creation
An example of a helpful parameter is UPDATER, which sends a
notification message when the Notification Manager finds
a problem related to update and mirror creation in the server
logs.
·
|
License Expiration License will
expire in the specified number of days, or it already has expired.
Select the option Warn only if this will cause
the number of clients in the license fall below the number or
actual clients in the server database to send
a notification if expiration will cause the number of clients
in the license to fall below the number of currently connected
clients. |
·
|
Limit license If percent of free
clients falls under the specified value |
The following parameters are available for the New Log Event
Triggers:
·
|
Log type Select Event Log, Threat
Log, or Firewall Log |
·
|
Log level Log entry level in the
given log
- Level 1 Critical Warnings
Critical errors only
- Level 2 Above + Warnings The
same as 1, plus alert notifications
- Level 3 Above + Normal The
same as 2, plus informative notifications
- Level 4 Above + Diagnostic The
same as 3, plus diagnostic notifications |
·
|
1000 occurrences in 60 minutes
Type the number of occurrences and select the time period to
specify the event frequency that must be reached for the
notification to be sent. The default frequency is 1000 occurrences
in one hour. |
·
|
Amount Number of clients (either
absolute or in percent) |
Other trigger types do not have any specific parameters.
If the specified parameters for a rule are met, the action
defined by the administrator is automatically performed. To
configure actions, click Edit
in the
Action section. The action editor offers
these options:
·
|
Email The program sends the
notification text of the rule to the specified email address; enter
a Subject and click To to open the address book. |
·
|
SNMP Trap Generates and sends SNMP
notification |
·
|
Execute (on server) Enable this
option and specify the application to run on the server |
·
|
Log To File (on server) Generates
log entries in the specified log file. The Verbosity of this log is configurable. |
·
|
Also Log Message - the message body
will also be written to the log. |
·
|
Log To Syslog - Record notifications
to system logs; the Verbosity of notifications can be
configured. |
·
|
Logging Records notifications to
server logs; the Verbosity of
notifications can be configured. For this feature to work
correctly, you must enable logging in the ERA Server (Tools > Server Options
> Logging). |
The notification format can be edited in the Message box in the bottom section of the Notification
Manager main window. In the text you can use special variables,
using this syntax: %VARIABLE_NAME%. To
view the list of available variables, click Show
me options.
·
|
Server_Last_Updated Last update of
the server |
·
|
Client_Filter Client filter
parameters |
·
|
Client_Filter_Short Client filter
settings (in short form) |
·
|
Client_List List of clients |
·
|
Triggered Date of the most recent
notification sent (repeats excluded) |
·
|
Triggered Last Date of the most
recent notification sent (repeats included) |
·
|
Priority Notification rule
priority |
·
|
Log_Text_Truncated Log text that
activated the notification (truncated) |
·
|
Task_Result_List List of finished
tasks |
·
|
Parameters Rule parameters |
·
|
Last_Log_Date Date of the last
log |
·
|
License_Info_Merged License
information (summary) |
·
|
License_Info_Full License
information (full) |
·
|
License_Days_To_Expiry Days left
until expiration |
·
|
License_Expiration_Date - nearest
expiration date |
·
|
License_Clients_Left Free slots in
the current license for clients to connect to the server |
·
|
License_Customer - license customer
(merged) |
·
|
Actual_License_Count Number of
clients currently connected to the server |
·
|
Virus_Signature_Db_Version - Latest
virus signature database version |
·
|
Pcu_List - Latest Program Component
Update list |
The last parameter to be specified is time and date. Activation
of the rule can be delayed to a time period ranging from one
hour to three months. If you wish to activate the rule as soon as
possible, set the Activation after
drop-down menu to ASAP. The Notification
Manager is activated every 10 minutes by default, so if you
select ASAP, the task should run within
10 minutes. If a specific time period is selected from this
menu, the action will automatically be performed after the time
period has elapsed (provided that the rule condition is met).
The Repeat after every
menu allows
you to specify a time interval after which the action will be
repeated. However, the condition to activate the rule must still be
met. In Server > Advanced > Edit Advanced
Settings > ESET Remote
Administrator > Server >
Setup > Notifications > Interval for
notification processing (minutes) you can specify the time
interval in which the server will check and execute active
rules.
The default value is 10 minutes. We do not recommend
decreasing it, since this may cause significant server
slowdown.
By default, the Notification Manager window contains predefined
rules. To activate a rule, select the check box next to the
rule. The following notification rules are available. If they are
activated and the rule conditions are met, they generate log
entries.
·
|
More than 10% of primary clients are not
connecting If more than 10 percent of clients have not
connected to the server for more than a week; the rule runs
ASAP. |
·
|
More than 10% of primary clients with
critical protection status If more than 10 percent of
clients generated a Protection status critical warning and
have not connected to the server for more than a week; the
rule runs ASAP. |
·
|
Primary clients with protection status
warning If there is at least one client with
a protection status warning that has not connected to the
server for at least one week. |
·
|
Primary clients not connecting If
there is at least one client that has not connected to the server
for more than one week. |
·
|
Primary clients with outdated virus
signature database If there is a client with a virus
signature database two or more versions older than the current one
and has not been disconnected from the server for more than one
week. |
·
|
Primary clients with critical protection
status If there is a client with a critical
protection status warning that has not been disconnected for more
than one week. |
·
|
Primary clients with newer virus signature
database than server If there is a client with
a newer virus signature database than that on the server and
that has not been disconnected for more than one week. |
·
|
Primary clients waiting for restart
If there is a client waiting for restart that has not been
disconnected for more than one week. |
·
|
Primary clients with a non-cleaned
infiltration in computer scan If there is a client on
which a computer scan could not clean at least one infiltration and
that client has not been disconnected for more than one week;
the rule runs ASAP. |
·
|
Completed task If there was
a task completed on a client; the rule runs ASAP. |
·
|
New primary clients If a new
client has connected to the server; the rule runs ASAP. |
·
|
New replicated clients If there is
a new replicated client in the list of clients; the rule runs
after one hour. |
·
|
Possible virus outbreak - If the
frequency of Threat log entries on a client has exceeded 1000
critical warnings in one hour on at least 10% of all clients. |
·
|
Possible network attack If the
frequency of ESET Personal firewall log entries on a client has
exceeded 1000 critical warnings in one hour on at least 10% of all
clients. |
·
|
Server updated If the server has
been updated |
·
|
Server not updated If the server
has not been updated for more than five days; the rule runs
ASAP. |
·
|
Error in server text log If the
server log contains an error entry. |
·
|
License expiration If the current
license will expire within 20 days and after expiration, the
maximum number of client slots will be lower than the current
number of clients; the rule runs ASAP. |
·
|
License limit If the number of free
client slots decreases under 10% of all client slots
available. |
If not stated otherwise, all rules are run and repeated after 24
hours and are applied to the primary server and primary
clients.
|