Help centre

Alert Key

The notion of a key is fundamental to alert processing. A key defines to which "entity" an alert relates. For example, a DoS alert may observe packet rate originating from IP addresses and be raised if the rate from an IP address exceeds a threshold. Here, we choose the IP address as the key for the alert. Incoming events are mapped into multiple streams. Each stream belongs to one distinct IP address, and each stream is measured individually against the rate threshold. Every stream identified by the IP address maintains its own "profile" with aggregated event history, as well as information needed for alert management: is alerting for the key throttled or suppressed?

The basic alert types have the key name configurable. For frafos telephony events, source IP address from our example can be configured as "attrs.source". Events can also be keyed by source trunk AKA Call Agent ("attrs.src_ca_id"), originating user as in From header field ("attrs.from"), or any other attribute present in incoming JSON events. Choosing "tls-cn" as key places all tenant's events into a single stream. Some attributes have synonymical shortcuts, such as "uri" for "attrs.from", empty key name stands for all tenant's events.

Each stream identified by its key name-value pair (say "attrs.source" - "10.0.0.1" here) stores its internal status for every active alert in its "profile." Our example would contain information about past packet rate measurements. It also includes some overhead information, such as when an alert was raised the last time and its throttling status. While alert processing uses the profiles internally, the profiles may also be inspected using the `getprofile` API.

Sometimes, a reference to a simple attribute in an event may generate insufficient uniqueness. You may need, for example, to raise a separate alert for each user's device. In this case, you identify the key by joining From URI representing the user and source IP representing each device. (Using only From would not differentiate the user's multiple devices, whereas using only the source IP address would treat all events from all users behind the same IP as a single stream.) Therefore, you can form a "joint key" where the key value is concatenated from multiple attribute values. You denote such joint keys by respective attribute names joined by the "+" symbol like in "attrs.from+attrs.source". The joint key value is similarly concatenated using the "+" character. For example, the joint key name could yield the value "sip:foo@bar.com+10.0.0.1".

Another particular case is when you are concerned with a key value occurring in multiple attributes. For example, you may be interested in aggregated packet rates from AND to a URI. Such a URI, like "john@doe.com" appears in "attrs.from" attribute for outgoing calls and "attrs.to" for incoming calls. Such a case requires the aggregation of processing results of the two streams into a single profile. To do so, define a "multi-key" over multiple attribute names joined together using the "|" symbol like in "attrs.from|attrs.to". As a convention, data from both streams are merged in a profile identified by the first attribute name, "attrs.from". Then alerts are processed twice, and so are the profile updated twice: once for the value of attrs.from and once for the value of attrs.to. The results are merged in the first attribute's profile.

Note: in profile-manipulating API calls such as in `getprofile`, `rmprofile`, `supress`, `listmall` the profile must be identified by its key. The key, which consists of a name and value, can be identified by the three methods::

keyRef: the most convenient way to identify a profile. Use it if you know an alert event -- .alert.key.keyRef includes an opaque value that identifies the key. For example, use getprofile?keyRef=eyJuYW1lIjoiY3N0bSNhdHRycy5kc3RfY2FfbmFtZSIsInZhbHVlIjoiYXR0cnMuZHN0X2NhX25hbWUjcHJveHkiLCJlbmNyeXB0IjoicGxhaW4ifQ== to retrieve a profile related to an previously raised alert.
alertid and keyval. This is practical when you know the id of a configured alert and the value of the key referred to in the alert configuration. You can use it getprofile?alertid=3e22a9&keyval=10.0.0.1 This ensures you are requesting a proper attribute name used in that specific alert. The key value must be properly encoded for use in URIs.
keyname and keyval identify a key explicitly by the event attribute's name and value. Both name and value parameters must be encoded appropriately for use in URIs (UTF-8 for special characters). The URI parameters take the form keyname=ENCODED_ATTRIBUTE_NAME&keyval=ENCODED_VALUE, for example, keyname=attrs.dst_ca_name&keyval=proxy. If an alert key was specified as multi-key, the related profile is always keyed by the first key name in the multi-key specification. For example, use "keyname=attrs.from" to access a profile associated with an alert using multi-key "attrs.from|attrs.to". If an alert uses a joint key, form value parameter by concatenation of the individual values and name parameter by joining individual names using "+" character: keyname=attrs.from%2Battrs.source&keyval=sip%3Afoo%40bar.com+10.0.0.1.

Page updated

Report abuse