Alert on VPN Tunnel State Changes

Index

• Overview
• Requirements
• Alert Configuration

Overview

Statseeker can be used as a comprehensive proactive, and reactive, alerting solution. Alerts can be triggered for:

• Threshold Events - by configuring thresholds for specific metrics you can have Statseeker alert to you when, among other things, your network is experiencing unusual activity, or a device is nearing capacity. For more details, see Threshold Configuration.
• Device Events - device level events, such as ping state changes, on any devices monitored by Statseeker
• Interface Events - interface level events, such as ifOperStatus state changes, on any interfaces monitored by Statseeker
• Syslog Events - if your network contains devices that have been configured to output messages to a remote syslog server, then these devices can send those messages to Statseeker. Statseeker can review these logs and use the content to trigger alerts relating to those events.
• SNMP Trap Events - if your network contains devices that have been configured to output SNMP trap messages to Statseeker, then Statseeker can review these messages and trigger alerts based on their content.

What we will be using is the syslog output of our Cisco routers to trigger an email alert to be sent when the state of any VPN tunnel operating from/to the router changes. The same alert could be applied to firewalls in this situation.

[top]

Requirements

For the alert to be triggered, you need to have syslog output from your target devices (the routers or firewalls that will be the source/destination of the tunnels) being sent to your Statseeker server. This configuration is made on the device itself:

• Refer to your device specific documentation on how to do this
• Direct the syslog output to the Statseeker server
• Statseeker listens for incoming syslog on the standard syslog port UPD 514

[top]

Alert Configuration

• Select Admin Tool > Alerting / Event Management > Alerting

This will display a list of currently configured alerts.

• Click Add

This will display the New Alert screen.

• Select a Template and Name the Alert configuration to suit your requirements
• Set Event Type to Syslog > Custom

Here is sample syslog output for tunnel state changes from our devices:


000012 2020-01-22 15:28:39 10.2.20.103 local7.notice 90: *Jan 22 02:31:21.814: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up

000014 2020-01-22 15:48:41 10.2.20.103 local7.notice 92: *Jan 22 02:51:06.032: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down

Referring to the sample messages presented above, to alert on the output from our devices we would set the Syslog RegEx field to:

Interface Tunnel[0-9]*, changed state to down

This will alert on down state changes of any Interface Tunnel. To alert on both UP and DOWN state changes simply omit the down. You can confirm that the RegEx filter you supplied is picking up the events you want to alert on by using the Check Event Filters option and reviewing the results. This action will apply your alerting configuration to syslog entries received by Statseeker and return details on those entries satisfying the configuration.

• Set Entity Filter and Time Filter options to suit
• Confirm that your configuration is targeting the syslog entries you wish to alert on, by again using the Check Event Filters option and reviewing the output. Statseeker will display those syslog entries which satisfy your configuration.
• Complete the alert configuration as required by the template you selected and Save the alert

In our example we have included:

• A group filter, limiting the scope of the alert to only those devices in our Routers group
• A timefilter, limiting alerts to only those events occurring during our business hours

[top]