• Content Count

  • Joined

  • Last visited

  • Days Won


Community Reputation

168 Excellent

About mnagel

  • Rank
  • Birthday July 17

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Sure, you can use Service Insight for this, but it is a premium feature, which is using an expensive mallet to handle something that should be available without that extra cost. Or, there should be a Service Insight light for this stuff, leaving the costly part for the intended enhanced features of Service Insight (like Kubernetes). My recommendation on this was to extend cluster alerts so you could at least match up instances. My use case at the time was to detect an AP offline on a controller cluster. There is no way to do this without SI, which as you say is complex, and it is an ex
  2. There is a way to do this, but it is not well-documented and there is no UI exposure for "No Data" alerts, you have to dig around the module sources to find them (because it is very hard to put an indicator in the alert tuning thresholds I guess). We have standard alerts on 2 datapoints that have No Data alerts and no other alerts. The first is for "Host Uptime" -> SNMP_HostUptime_Singleton -> Uptime and the second is for Uptime- -> * -> UpTime. If a host stops responding to SNMP, those will trigger. We keep them near the end of our alert policy to generally report to our
  3. What you want is a dynamic template processor, but all we have is simple token substitution and no indication that will ever change (I have asked repeatedly for years). You can route alerts to an external integration, which is how we handle transformation of tokens, but you lose some stuff when you do that depending on how you integrate. For example, we use external email integration into our ticket system with a filter that handles the transformation, but custom email integrations do not get the same handling as builtin email for certain things (e.g., you do not get ACK or SDT notices).
  4. My two cents -- I gave up on using syslog and most other eventsources a long time ago due to lack of basic correlation features. At the time, Cisco logs weren't even parsed correctly in our client environments and it took forever to get that dealt with. We now use SumoLogic for log processing since then since we can run queries on the data over time and get meaningful results (and if needed, tie to LM via the SumoLogic API). LM also realized the existing stuff was a bit limited so bought a company and added LMLogs as a premium addon. That is fine, but adding some basic ability to correlate
  5. So this has been an issue for us a lot -- everything was tossed into the topology umbrella for alert suppression with no easy way to manually create dependencies. There are many topologies that are simply not discoverable, like multipoint/mesh WAN topologies and really anything not handled by topology sources. The good news is that some kind support tech provided me a Manual_Topology module that linked various devices manually that eluded auto-discovery. The bad news is it is awkward and leverages hardcoded device names and MAC addresses. But, it is possible. IMO the UI and/or API sh
  6. Check Mike Suding's blog page -- lots of cool stuff, including this. A bit old, but probably still works :). As far as the debugger, yeah -- that stuff freaks me out a lot given that LM more or less requires Domain Admins on collectors (really should be Performance Monitoring Users, especially after the recent SolarWinds incident). You can run those debugger commands from the API as well, even more scary.
  7. I 100% agree this is needed -- we have to hack around this all the time with escalation chains that have one or more empty stages, and still that does not prevent alerts from registering in the system. But this is just one case that would be trivial to solve with DS inheritance, something I have been pushing for well over four years now. The issue with creating new DSes is they are then freestanding clones, meaning each must now be maintained independently (and this is commonly pushed by support as a solution, sadly). If we could just get inheritance done (not just for DSes, but that would b
  8. I guess not ASAP: This LogicModule is currently undergoing security review. It will be available for import only after our engineers have validated the scripted elements. I guess I will check back at some indeterminate date in the future .
  9. Thank you! I have been asking for this via "proper" channels for some time with no results -- will try it out ASAP as I have an 8320 cluster waiting. FWIW, I recommend using a standard property name alongside the ssh.user/ssh.pass (e.g., lmconfig.enabled) to allow disabling this premium feature at the group (client) level when it has not been subscribed to. I know it is an uphill battle to get those all fixed, but I sure wish it could be done. We still cannot use the new AD and DHCP modules due to lack of ability to disable LMConfig per client.
  10. Almost certainly there is code as Palo Alto checks virtually always require API access. Review has seemed in most cases I have been involved with to be a mostly ad hoc process (or if not, definitely opaque). I suggested in one of our UI/UX meetings that there be a "Request Review" button or similar to create or escalate a request for security review. As a bonus, use a ticketing system (this would be welcome for feedback as well, which as I understand generates internal-only tickets). A unified customer visible ticket system for feedback and module review would be very helpful.
  11. Been there, done that -- you can't reference those in widgets, sadly. You have to just create your own datasource that sets values equal to the properties and then reference those. First time I ran into this I wanted to chart device usage against subscription levels, latter of which was a property. In ours, the collector is a Groovy script that does nothing (not sure why that was how we did it, but it works). The CDP is just equal to ##property## in each case. It is Groovy mode, but the code is literally just that.
  12. Yes, and LM actually agreed with me and others (eventually) and fixed this in v133. And then they broke it sometime after that, no ETR that I am aware of.
  13. FWIW, having also come originally from Nagios, I miss the ability to transmit arbitrary string data back via alerts. Some of this can be emulated with auto properties, but those can be set only during discovery not collection. I posted a feature request previously to allow definition of enums that can be bound to datapoints (global values and overridden values within specific datasources/datapoints). these could then be used to avoid the current awkward legend method and actually show the intended purpose of DP values where needed via tokens. Imagine a line that showed the actual meaning of t
  14. Eventsources don't support embedded Powershell, though they certainly should. You can upload a script though. That said, eventsources are also almost entirely unsuited for monitoring, more like additional information to see along with monitoring. Among other things, you cannot ACK them in a meaningful way due to lack of correlation across eventsource results. I'm sure the yet-another-premium-module LMLogs will fix all those problems, though.
  15. You can do this under Alert Tuning at the group level. There is no similar option for specific devices short of editing the applies to code.