Notification Manager

To open the Notification Manager main window, click Tools > Notification Manager.

 

35

 

The main window is divided in two sections. The Notification rules section in the top part of the window contains a list of existing (either predefined or user defined) rules. A rule in this section must be checked to generate notification messages. By default, no notifications are enabled. Therefore, we recommend checking whether your rules are active.

 

The functional buttons under the list of rules include Save (save modifications to a rule), Save as... (save modifications to a rule with a new name), Delete, Default (restore default settings for selected trigger type), Refresh and Default Rules (update the list with default rules).

 

The Options section in the bottom half of the window provides information about the currently selected rule. All fields and options in this section are described using the sample rule from chapter Rule creation.

 

In each rule, you can specify the criteria, known as a Trigger, which activates the rule. The following triggers are available:
 

· Client State – Rule will be run if there is a problem on some of the clients
· Server State – Rule will be run if there is a problem on some of the servers
· Finished Task Event – Rule will be run after the specified task is finished
· New Client Event – Rule will run if there is a new client connecting to the server (including replicated clients)
· New Log Event – Rule will run if there is the specified event found in some of the logs

 

Based on the type of trigger other rule options can be activated or deactivated, therefore we recommend to set the trigger type first when creating new rules.

 

The Priority drop-down menu allows you to set the rule priority. P1 is the highest priority, P5 is the lowest priority. Priority does not in any way affect the functionality of rules. To assign priority to notification messages, the %PRIORITY% variable can be used. Under the Priority menu, there is a Description field. We recommend that each rule is given a meaningful description, such as ”rule that warns on detected infiltrations”.

 

As soon as the system detects the trigger event for a certain client or clients and finds a rule to be run, the client filter is applied. The filter can be assigned to any rules in which clients are involved; to enter the client filter setup, click Edit in the Client filter section. In the window that opens, define client filtering parameters. When a rule is applied, only clients meeting the client filter criteria are taken into consideration. The filtering criteria are:
 

· FROM Primary Server – Only clients from primary server; (the negative NOT FROM can also be applied)
· Primary Server IN – Includes primary server in the output
· HAS New Flag – clients marked by the flag ”New” (the negative HAS NOT can also be applied).
· ERA Groups IN – Clients belonging to the specified group
· Domain/Workgroup IN – Clients belonging to the specified domain
· Computer Name Mask – Clients with the specified computer name
· HAS IP Mask – Clients falling into the specified IP mask
· HAS IP Range – Clients within the specified IP address range
· HAS Defined Policy – Clients with the specified policy assigned (the negative HAS NOT can also be applied).

 

After you have specified a client filter for your notification rule, click OK and proceed to the rule parameters. Client parameters define what condition a client or a group of clients must meet in order to run the notification action. To view the available parameter, click the Edit… button in the Parameters section.

 

The availability of parameters depends on the selected Trigger type. The following is a complete list of parameters available by Trigger type.

 

The following parameters are available for Client State Triggers:

· Protection Status Any Warnings – Any warning found in the Protection Status column
· Protection Status Critical Warnings – A critical warning found in the Protection Status column
· Virus Signature DB version – Problem with virus signature database (6 possible values)

 - Previous – Virus signature database is one version older than the current one

 - Older or N/A – Virus signature database is more than one version older than the current one

 - Older than 5 versions or N/A – Virus signature database is more than 5 versions older than the current one

 - Older than 10 versions or N/A – Virus signature database is more than 10 versions older than the current one

 - Older than 7 days or N/A – Virus signature database is more than 7 days older than the current one

 - Older than 14 days or N/A – Virus signature database is more than 14 days older than the current one

 

· Last Connected Warning – The last connection was established before the specified time period
· Has Last Threat Event – The Threat column contains a threat warning
· Has Last Event – The Last Event column contains an entry
· Has Last Firewall Event – The Firewall Event column contains a firewall event entry
· Has New Flag – Client has the ”New” flag
· Waiting For Restart – Client is waiting for restart
· Last Scan Found Threat – On client, the specified number of threats was found during the last scan
· Last Scan Not Cleaned Threat – On client, the specified number of uncleaned threats was found during the last scan

 

All parameters can be negated, but not all negations are usable. It is only suitable to negate those parameters that include two logical values: true and not true. For example,the parameter Has New Flag only covers clients with the ”New” flag. The negative parameter would include all clients that are not marked by the flag.

 

All conditions above can be logically combined and inverted. The drop-down menu for The rule  is applied when offers two choices:
 

· all of the options are met – Rule will only run if all specified parameters are met
· any of the options is met – Rule will run if at least one condition is met

 

The following parameters are available for the Server State Triggers:

 

· Server updated – Server is up-to-date

 

· Server not updated – Server is not up-to-date for longer than specified

 

· Server logs – The server log contains the following entry types:

 

 - Errors – Error messages

 - Errors+Warnings – Error messages and warning messages

 - Errors+Warnings+Info(Verbose) - Error, warning and informative messages

 - Filter log entries by type – Enable this option to specify error and warning entries to be watched in the server log. Note that for notifications to work properly, the log verbosity (Tools > Server Options > Logging) must be set to the corresponding level. Otherwise such notification rules would never find a trigger in the server log. The following log entries are available:
 
– ADSI_SYNCHRONIZE – Active Directory group synchronization
– CLEANUP – Server cleanup tasks
– CREATEREPORT – On-demand report generating
– DEINIT – Server shutdown
– INIT – Server startup
– INTERNAL 1 – Internal server message

– INTERNAL 2 – Internal server message
– LICENSE – License administration
– MAINTENANCE – Server maintenance tasks
– NOTIFICATION – Notification management
– PUSHINST – Push install
– RENAME – Internal structure renaming
– REPLICATION – Server replication
– POLICY – Policy management
– POLICYRULES – Policy rules
– SCHEDREPORT – Automatically generated reports
– SERVERMGR – Internal server thread management
– SESSION – Server’s network connections

– SESSION_USERACTION - various user actions
– THREATSENSE – ThreatSense.Net – statistical information submission
– UPDATER – Server update and mirror creation

 

An example of a helpful parameter is UPDATER, which sends a notification message when the Notification Manager finds a problem related to update and mirror creation in the server logs.

 

· License Expiration – License will expire in the specified number of days, or it already has expired. Select the option Warn only if this will cause the number of clients in the license fall below the number or actual clients in the server database to send a notification if expiration will cause the number of clients in the license to fall below the number of currently connected clients.

 

· Limit license – If percent of free clients falls under the specified value

 

The following parameters are available for the New Log Event Triggers:

· Log type – Select Event Log, Threat Log, or Firewall Log
· Log level – Log entry level in the given log
- Level 1 – Critical Warnings – Critical errors only
- Level 2 – Above + Warnings – The same as 1, plus alert notifications
- Level 3 – Above + Normal – The same as 2, plus informative notifications
- Level 4 – Above + Diagnostic – The same as 3, plus diagnostic notifications

 

· 1000 occurrences in 60 minutes – Type the number of occurrences and select the time period to specify the event frequency that must be reached for the notification to be sent. The default frequency is 1000 occurrences in one hour.

 

· Amount – Number of clients (either absolute or in percent)

 

Other trigger types do not have any specific parameters.

 

If the specified parameters for a rule are met, the action defined by the administrator is automatically performed. To configure actions, click Edit… in the Action section. The action editor offers these options:
 

· Email – The program sends the notification text of the rule to the specified email address; enter a Subject and click To to open the address book.
· SNMP Trap – Generates and sends SNMP notification
· Execute (on server) – Enable this option and specify the application to run on the server
· Log To File (on server) – Generates log entries in the specified log file. The Verbosity of this log is configurable.
· Also Log Message - the message body will also be written to the log.
· Log To Syslog - Record notifications to system logs; the Verbosity of notifications can be configured.
· Logging – Records notifications to server logs; the Verbosity of notifications can be configured. For this feature to work correctly, you must enable logging in the ERA Server (Tools > Server Options > Logging).

 

The notification format can be edited in the Message box in the bottom section of the Notification Manager main window. In the text you can use special variables, using this syntax: %VARIABLE_NAME%. To view the list of available variables, click Show me options.
 

· Server_Last_Updated – Last update of the server
· Primary_Server_Name
· Rule_Name
· Rule_Description
· Client_Filter – Client filter parameters
· Client_Filter_Short – Client filter settings (in short form)
· Client_List – List of clients
· Triggered – Date of the most recent notification sent (repeats excluded)
· Triggered Last– Date of the most recent notification sent (repeats included)
· Priority – Notification rule priority
· Log_Text_Truncated – Log text that activated the notification (truncated)
· Task_Result_List – List of finished tasks
· Parameters – Rule parameters
· Last_Log_Date – Date of the last log
· License_Info_Merged – License information (summary)
· License_Info_Full – License information (full)
· License_Days_To_Expiry – Days left until expiration
· License_Expiration_Date - nearest expiration date
· License_Clients_Left – Free slots in the current license for clients to connect to the server
· License_Customer - license customer (merged)
· Actual_License_Count – Number of clients currently connected to the server
· Virus_Signature_Db_Version - Latest virus signature database version
· Pcu_List - Latest Program Component Update list

 

The last parameter to be specified is time and date. Activation of the rule can be delayed to a time period ranging from one hour to three months. If you wish to activate the rule as soon as possible, set the Activation after drop-down menu to ASAP. The Notification Manager is activated every 10 minutes by default, so if you select ASAP, the task should run within 10 minutes. If a specific time period is selected from this menu, the action will automatically be performed after the time period has elapsed (provided that the rule condition is met).

 

The Repeat after every… menu allows you to specify a time interval after which the action will be repeated. However, the condition to activate the rule must still be met. In Server > Advanced > Edit Advanced Settings > ESET Remote Administrator > Server > Setup > Notifications > Interval for notification processing (minutes) you can specify the time interval in which the server will check and execute active rules.

 

The default value is 10 minutes. We do not recommend decreasing it, since this may cause significant server slowdown.

 

By default, the Notification Manager window contains predefined rules. To activate a rule, select the check box next to the rule. The following notification rules are available. If they are activated and the rule conditions are met, they generate log entries.
 

· More than 10% of primary clients are not connecting – If more than 10 percent of clients have not connected to the server for more than a week; the rule runs ASAP.
· More than 10% of primary clients with critical protection status – If more than 10 percent of clients generated a Protection status critical warning and have not connected to the server for more than a week; the rule runs ASAP.
· Primary clients with protection status warning – If there is at least one client with a protection status warning that has not connected to the server for at least one week.
· Primary clients not connecting – If there is at least one client that has not connected to the server for more than one week.
· Primary clients with outdated virus signature database – If there is a client with a virus signature database two or more versions older than the current one and has not been disconnected from the server for more than one week.
· Primary clients with critical protection status – If there is a client with a critical protection status warning that has not been disconnected for more than one week.
· Primary clients with newer virus signature database than server – If there is a client with a newer virus signature database than that on the server and that has not been disconnected for more than one week.
· Primary clients waiting for restart – If there is a client waiting for restart that has not been disconnected for more than one week.
· Primary clients with a non-cleaned infiltration in computer scan – If there is a client on which a computer scan could not clean at least one infiltration and that client has not been disconnected for more than one week; the rule runs ASAP.
· Completed task – If there was a task completed on a client; the rule runs ASAP.
· New primary clients – If a new client has connected to the server; the rule runs ASAP.
· New replicated clients – If there is a new replicated client in the list of clients; the rule runs after one hour.
· Possible virus outbreak - If the frequency of Threat log entries on a client has exceeded 1000 critical warnings in one hour on at least 10% of all clients.
· Possible network attack – If the frequency of ESET Personal firewall log entries on a client has exceeded 1000 critical warnings in one hour on at least 10% of all clients.
· Server updated – If the server has been updated
· Server not updated – If the server has not been updated for more than five days; the rule runs ASAP.
· Error in server text log – If the server log contains an error entry.
· License expiration – If the current license will expire within 20 days and after expiration, the maximum number of client slots will be lower than the current number of clients; the rule runs ASAP.
· License limit – If the number of free client slots decreases under 10% of all client slots available.

 

If not stated otherwise, all rules are run and repeated after 24 hours and are applied to the primary server and primary clients.