FlowTraq is able to generate alert notifications in real time based on user-specified conditions. When such a condition is met, FlowTraq is able to generate notifications of alert conditions in several ways:
Alert notifications are displayed in an Alert widget on the Dashboard of the user who set the condition.
Alert notifications can optionally be e-mailed to the user who set the condition.
Alert notifications can optionally be sent via syslog over UDP for integration with third-party SIEM (security information and event management) systems.
Alert notifications can optionally be retrieved via the command line for scripting.
An alertable condition (or simply alert condition) is a time-based threshold set on any metric which can be calculated using network flows. For instance, "number of sessions initiated by any one host exceeds one thousand over a period of thirty minutes" is an alertable condition. If it is set, FlowTraq will track the number of sessions initiated by all hosts, and at any time, if a host initiates more than one thousand sessions over the course of two minutes, FlowTraq will notify the user who set the alertable condition.
In addition, FlowTraq allows you to specify a prefilter to indicate what kinds of sessions to include when tracking for a given alertable condition. The prefilter is configured in the same way as report filters.
This chapter describes how to configure, retrieve, and manage alerts.
