Configure Alerts and Notifications

Collecting and aggregrating logs is only one piece of a log management strategy. The second piece is being able to quickly identify when an event occurs that requires action.

We help achieve this level of awareness via our notification engine.

Trunc provides a powerful notification engine that allows an administrator to configure pre-defined notifications based on industry standard events, or based on custom events created by an organization. This help document shows you how to access and how to configure notifications.

Configure Trunc Notifications

Trunc alows you to configure Slack and Email notifications.

Access the notifications via the Alerts page.

By default, the system will use the email for your account as the default notification option.

Trunc - Alerts Pane

Enable any of the predefined alert notifications and the system will start working automatically. By default the settings are all disabled (set to Quiet, toggle to Alerting to enable).

Predefined Notifications

By default we offer 10 predefined alerts you can enable. They are grouped into logical groupings - System Availability Alerts, Security Activity Alerts, Web Activity Alerts, and Other Alerts.

System Availability Alert

Name Description
Disk Space Full Alerts on logs regarding the disk being full
Low Memory Alerts on logs related to low memory.
System Crash Alerts on logs that may indicate a system crash.

Security Activity Alert

Name Description
Failed 'sudo' attempt Alerts whenever Linux 'sudo' authentication fails
Failed 'su' attempt Alerts whenever Linux 'su' authentication fails
Brute Force attempt Alerts whenrver a brute force attack is detected
Brute Force attempt success Alerts on brute force attacks followed by a success
New user added Alerts when new users are added
New application installed Alerts when a new application is installed

Web Actvity Alerts

Name Description
Web server errors Alerts if multiple web servers errors are detected
HTTP 404 Errors Alerts if multiple 404 errors from the same IP address are detected. Likely a web recon scan.
HTTP 500 Errors Alerts if multiple 500 errors from the same IP address are detected. Might indicate an attack or web scan.

Other Alerts

Name Description
Service availability Alerts on logs that indicate an availability issue
System limit reached Alerts whenever a system limit is reached.
New package added or removed Alerts whenever we detect a new package being installed or removed

Custom Configurations

In addition to the predefined alerts, you have the option to create your own alerts using the alert generation card.

This card is found at the bottom of the Alerts page:

Trunc - Custom Alerts Pane

All custom alerts get added to notification addresses in your account. If you have five accounts, all five will get the new alert rule.

Posted in   trunc   product_configuration     by trunc_team

Simple, affordable, log management and analysis.