Predefined Alerts
Table describing the predefined alerts found in the Alert Builder.
Guardium comes with a set of predefined alerts that can be found in the Alert Builder. Open the Alert Builder by clicking . When you open the Alert Builder, you are presented with a list of all existing alerts in the Alert Finder. Select an alert from the finder and click Modify to edit it.
In the Modify Alert screen, modify any part of the alert, such as receivers or threshold.
You cannot modify the default queries that the alerts are based
on. If you want to modify a query, click the Edit this
Query icon 
for any query to open the Query
Builder. Once in the builder, clone any query, and then
modify the clone to suit your needs.
After making changes to an alert, click Apply to save them.
The following table describes all predefined alerts.
| Alert | Description |
|---|---|
Active S-TAPs Changed |
Checks for changes to Active S-TAP® inspection engines done during the last accumulation interval. The alert will trigger if at least one inspection engine has been changed during the period. By default the alert checks every 1/2 hour and checks the last hour. |
Aggregation/Archive Errors |
Alert once a day on all aggregation or archive tasks that did not complete successfully. |
Connection Profiling Alert |
Alert runs every 60 minutes and sends notice to predefined group, Connection Profiling List - Name List of allowed connections |
CAS Instance Config Changes |
Alert once a day on any CAS instance configuration changes. |
CAS Templates Changes |
Alert once a day on any CAS template configuration changes. |
Data Source Changes |
Alert once a day on any data source definition changes. |
Database disk space |
Alert every 10 minutes if internal database is more than 80% filled. See the Self Monitoring help topic for more information on Disk Space (% full) and the Guardium® Nanny process. |
Enterprise No Traffic |
Enterprise No Traffic Alert runs only on Central Manager systems. It is based on a query similar to the query on the No Traffic alert and retrieves the records with: timestamp between X and Y, when X is a query parameter and Y is query from date generated by the alert mechanism based on the accumulation interval (same way the existing no traffic alert works). |
Enterprise S-TAPs changed |
This alert will only run Central Manager systems. |
Failed Logins to Guardium |
Every 10 minutes alert if there have been more than 5 failed login attempts on the Guardium appliance. |
Guardium - Add/Remove Users |
Alert once a day if any Guardium users have been added or removed. |
Guardium - Credential Activity |
Alert once a day if there have been any Guardium credential changes, including LDAP configuration changes. |
Inactive Managed Unit |
Alert runs 30 minutes and sends a notice once a day to the predefined group that is called "Managed Units Alert". |
Inactive S-TAPs Since |
Alert once an hour on all S-TAPs that have not been heard from. |
Inspection Engines and S-TAP |
Alert once a day on any activity related to inspection engine and S-TAP configuration. |
No Traffic |
Alert to Indicate whether there is no traffic from specific database servers. This alert will alert when there is no traffic collected from a server from which the Guardium system was collecting traffic at some point during the last 48 hours. The alert will trigger when there is no traffic within the period defined in the accumulation interval. For example if the accumulation interval is 60 minutes the alert will send an email if there was no traffic from a specific database server in the last hour but there was some traffic in the last 48 hours. The alert will send an email (by default) only every 24 hours. Parameters such as accumulation interval, notification interval, run frequency etc. can be customized. Parameters such as Threshold, Per Line, operator, query etc. should not be changed, as changes to these parameters will cause the alert not to work properly. Note the No Traffic query should not be cloned. |
No Traffic by Server/Protocol |
Similar to the regular No traffic alert with the following differences: The alert is per service Name/Net Protocol, and will report per line. There is a new additional parameter: Active Traffic Interval that determines when the last request from each server was received. The alert will trigger under the following conditions: There was No traffic during the alert interval from each server/net protocol but there was traffic since: Active Traffic Interval for that combination. Unlike the regular No traffic alert that will trigger if there was no traffic during the alert interval but there was traffic in the previous 48 hours per server IP. |
Policy Changes Alert |
Alert once a day if there have been any security policy changes. |
Queries Running Long Time |
Notify if a query takes more than 900 seconds to run. |
Scheduled Job Exceptions |
Alert every 10 minutes on any scheduled job exception (including assessment jobs). |