Setting Up Alerting and Reporting

Configuring the Alert Options | Configuring the Daily Report | Configuring an SMTP Server

When SDVP first enters LOG ONLY mode there will inevitably be a period of fairly active assessment and adjustment on your part, as entirely new security data about your site(s) becomes available to you in LogViewer, and as possible false positives appear with some frequency, requiring exceptions to be configured. This period may last anywhere from an hour to several days, depending on the number, complexity, and typical traffic loads of the sites and applications running on the server.

After a time, in any case, you will find that the amount of genuinely new data appearing in LogViewer will begin to diminish, as will the necessity to spend quite so much time actively assessing it and making adjustments. This indicates that SDVP has begun to move towards the "steady state" that will be the optimal point for transitioning into ON mode.

Before reaching that point, however, you will probably want to begin monitoring SDVP's activity in a more "hands-off" way -- that is, in a fashion similar to how you will want to monitor it once it is in ON mode and actually blocking malicious traffic. The key here is selectivity: You do not want to be called upon to assess each and every error raised by SDVP, but rather only those that might require particular investigation by you, and/or possible further adjustment of SDVP's security controls.

SDVP provides two basic mechanisms for this more passive and selective type of monitoring: Alerts and Reports. We will describe the set up process for each in turn.

Configuring the Alert Options

The Alert options are accessed using the Alert Settings item in the Configure menu of the Settings Manager:

This brings up the Alert Settings dialog, on the General tab of which you will find certain settings common to all Alert providers.

The Alert Queue is designed to prevent the selected provider(s) from overwhelming their consumers (or clients) with too many alerts sent in too short a time. If the maximum number of alerts is reached, the generation of new alerts is temporarily paused until space in the queue is created by the dispatch of queued alerts via the selected provider(s).

The Log Levels are simply identifiers you can select when configuring individual Alerts (as we will see below). In addition to the three default options shown here you can add customer Log Levels for your own later use:

We now move on to configuration of the Alert providers themselves. There are four options for delivering Alerts in SDVP. These four Alert providers can be used in any combination. Each one is represented by a tab in the Alert Settings dialog.

To use E-Mail Alerts, simply place a check in the box labeled "Enable E-Mail Alerts" on the E-Mail tab, and fill in or modify the other fields as desired. (The Subject line is pre-configured with a number of tokens that will be replaced with alert-specific data at alert-generation time.) You also have options such as: enabling or disabling the Active Alert feature and setting its timeout; deciding whether or not to include full incident details; and choosing between HTML and plain text format.

Once you have entered the information for a given Alert provider it is advisable to send a test Alert using that provider, to verify that SDVP is able to access it as expected. Here is an example of such a test being performed successfully with the E-Mail provider:

Besides (or in addition to) E-Mail, you may choose from three other Alert providers. They are SNMP:

Syslog-NG:

And Windows Event Log. Note that, in the latter case, you also have the option of using the local machine's Event Log, or that of a remote Windows machine for which you have the necessary credentials:

Configuring the Daily Report

The Daily Report is a 24-hour summary of activity observed by SDVP, including trend data relative to the prior period. While this report is available on demand in the SDVP Settings Manager (see the Reporting tab for details) a copy can also be emailed once every twenty-four hour period (at midnight server-local time) to a recipient list of your choice.

The Daily Report email can be sent in HTML or plain text format. The HTML format is designed to be compatible with smart phones and other mobile devices. Here is an example:

To configure these email-based reports, choose the Daily Report item under the Settings Manager's Configure menu:

This brings up the Daily Report dialog. Note that this is quite similar to the E-Mail tab in the Alert Settings dialog. As on that tab, you have the option of sending a test e-mail (in this case, a test version of the Daily Report e-mail) once you have configured the various fields:

(Notice also that the Reporting tab includes a button for launching LogViewer (the "Activity Logs" button), as well buttons for launching brief "Summary Reports" for each specific site as well as for the server as a whole.)

Configuring an SMTP Server

E-mail delivery of Alerts, and nightly delivery of Daily Reports both require configuration of an SMTP server. These settings are accessed using the Global Settings item in the Settings Manager's Configure menu:

This brings up the Global Settings dialog. You will find the relevant controls on the SMTP Settings tab. Note that if your SMTP server requires SSL and/or authentication you will have to fill that information here as well:


Next: Working in Expert View »