Alert Actions

The Operations > Alerts > Alert Actions page displays the configured Alert Actions. An alert config defines the conditions under which action for the particular alert should be taken. It also defines a corresponding alert action, which lists the specific action(s) needing to be taken. Multiple alert configs can point to the same alert action. For example, the alert configs for all security and account alerts might reference the same alert action, one which forwards messages to a remote audit system. See also:

• Alerts Overview
• Events Overview
• Notifications Overview
• Example Custom Alert Notification

Actions

Alert actions are used to notify administrators through one or more of four notification methods:

• Append an entry in the alert log
• Email
• Syslog
• SNMP traps

They may also be used to effect automation through:

• Application autoscaling (e.g., SE scale-out/in, server pool autoscaling)
• Execution of a ControlScript

An alert action may specify any combination of these actions.

Create an Alert Action

• Name: User-friendly name
• Only Generate External Alerts: By default, Avi Vantage appends an entry in the alert log, which is visible to Avi Vantage administrators in the UI. Checking the Only General External Alerts box disables the default. Alerts may still be sent externally via any combination of the four methods listed (email, syslog, SNMP, ControlScript).
• Autoscale Trigger: Checking this box engages the Autoscale Manager.
• Alert Level: High, medium, or low. This provides a way of classifying the alert to the remote system. For local notifications within the Avi Vantage UI, the alerts show as a different color to denote their severity.
• Email: Send the alert as an email by selecting a previously created Email Notification.
• Syslog: Send the alert to a syslog server (or servers) by selecting a previously defined Syslog Notification.
• SNMP Trap: Send the alert as a trap an SNMP server (or servers) by selecting a previously defined SNMP Trap Notification.
• ControlScript: Launch a custom ControlScript, which is a Python script to be executed on the Controller. These scripts may make configuration changes to Avi Vantage or send data externally to a remote system. For instance, a ControlScript could notify a security team via a REST API that a virtual service is under a severe denial of service attack.

Syslog Audit Persistence

To stream alerts of events for audit compliance, starting with Avi Vantage version 20.1.3, a new alert action, the Syslog-Audit-Persistence is created for streaming events to external rsyslog servers.

Use Syslog-Audit-Persistence as a template, and configure the alert action as required.

To edit Syslog-Audit-Persistence.

1. From the Avi UI, navigate to Operations > Alerts > Alert Alerts.

2. Click on the edit icon.

   

3. In the Edit Alert Action screen, update the General Information like Alert Level and Email.

4. Select the Syslog notification configuration to use when sending alerts via Syslog or click on Create Syslog Notification.

5. In the New Syslog Notification screen, update the Name, Syslog Server and Port.

   

6. Click on Save.

Syslog-Audit-Persistence is now updated with the information configured as shown below:

Syslog Messages for TCP

When configured from the UI, syslog message streaming default to using UDP. To use TCP, the configuration has to be changed from the Avi CLI as follows:

[*:alert-ctlr]: alertsyslogconfig> syslog_servers index 1
[*:alert-ctlr]: alertsyslogconfig:syslog_servers> no udp
+--------------------+---------------+
| Field              | Value         |
+--------------------+---------------+
| syslog_server      | 10.10.0.235   |
| syslog_server_port | 514           |
| udp                | False         |
|format              | SYSLOG_LEGACY |
| tls_enable         | False         |
| anon_auth          | False         |
+--------------------+---------------+
[*:alert-ctlr]: alertsyslogconfig:syslog_servers> save
[*:alert-ctlr]: alertsyslogconfig> save
+----------------------+--------------------------------------------------------+
| Field                | Value                                                  |
+----------------------+--------------------------------------------------------+
| uuid                 | alertsyslogconfig-c39ad76c-4630-4c87-8c56-0d6df5ffc78f |
| name                 | Pybot-Syslog-Cfg                                       |
| syslog_servers[1]    |                                                        |
|   syslog_server      | 10.10.0.235                                            |
|   syslog_server_port | 514                                                    |
|   udp                | False                                                  |
|   format             | SYSLOG_LEGACY                                          |
|   tls_enable         | False                                                  |
|   anon_auth          | False                                                  |
| tenant_ref           | admin                                                  |
+----------------------+--------------------------------------------------------+
[*:alert-ctlr]: >

Using Syslog Audit Persistence

The updated Syslog-Audit-Persistence can be used when configuring an alert as shown below:

1. From the Avi UI, navigate to Operations > Alerts > Alert Config.

2. Configure the Basics and the Conditions sections as required.

3. Under Actions, select Syslog-Audit-Persistence as the Alert Action.

   

4. Click on Save.

Therefore, the alert config will trigger Syslog-Audit-Persistence which sends notifications and executes a ControlScript.