Kaspersky Next XDR Expert

Monitoring event sources

This section provides information about monitoring event sources.

In this section

Source status

Monitoring policies

Page top
[Topic 249532]

Source status

In KUMA, you can monitor the state of the sources of data received by collectors. There can be multiple sources of events on one server, and data from multiple sources can be received by one collector.

You can configure automatic identification of event sources using one of the following sets of fields:

  • Custom set of fields. You can specify from 1 to 9 fields in the order you want. TenantID does not need to be specified separately, it is determined automatically.
  • Apply default mapping — DeviceProduct, DeviceHostName, DeviceAddress, DeviceProcessName. The field order cannot be changed.

    Sources are identified if the following fields in events are not empty: the DeviceProduct field, the DeviceAddress and/or DeviceHostname field, and the TenantID field (you do not need to specify the TenantID field, it is determined automatically). The DeviceProcessName field can be empty. If the DeviceProcessName field is not empty, and the other required fields are filled, a new source is identified.

    Identification of event sources depending on non-empty event fields

    DeviceProduct

    DeviceHostName

    DeviceAddress

    DeviceProcessName

    TenantID (determined automatically)

     

    +

    +

     

     

    +

    Source 1 identified

    +

     

    +

     

    +

    Source 2 identified

    +

    +

    +

     

    +

    Source 3 identified

    +

    +

     

    +

    +

    Source 4 identified

    +

     

    +

    +

    +

    Source 5 identified

    +

    +

    +

    +

    +

    Source 6 identified

     

    +

    +

     

    +

    Source not identified

     

    +

     

    +

    +

    Source not identified

     

     

    +

    +

    +

    Source not identified

    +

     

     

    +

    +

    Source not identified

Only one set of fields is applied for the entire installation. When upgrading to a new KUMA version, the default set of fields is applied. Only a user with the General Administrator role can configure the set of fields for identifying an event source. After you save changes to the set of fields, previously identified event sources are deleted from the KUMA Console and from the database. If necessary, you can revert to using a set of fields to determine default event sources. For the edited settings to take effect and KUMA to begin identifying sources based on the new settings, you must restart the collectors.

To identify event sources:

  1. In the KUMA Console, go to the Source status section.
  2. This opens the Source status window; in that window, click the wrench button.
  3. This opens the Settings of event source detection window; in that window, in the Grouping fields for source detection drop-down list, select the event fields by which you want to identify event sources.

    You can specify from 1 to 9 fields in the order you want. In a custom configuration, KUMA identifies sources in which the TenantID field is filled (you do not need to specify this field separately, it is determined automatically) and at least one field from the Identical fields for source identification is filled. For numeric fields, 0 is considered an empty value. If a single numeric field is selected for source identification, and the value of the numeric field is 0, the source is not detected.

    After you save the modified set of fields, an audit event is created and all previously identified sources are deleted from the KUMA Console and from the database; assigned policies are disabled.

  4. If you want to go back to the list of fields for identifying the default event source, click Apply default mapping. The default field order cannot be changed. If you manually specify the fields in the wrong order, an error is displayed and the save settings button becomes unavailable. The correct default sequence of fields is DeviceProduct, DeviceHostName, DeviceAddress, DeviceProcessName. Minimum configuration for identifying event sources using the default set of events: non-empty values in the DeviceProduct field, the DeviceAddress and/or DeviceHostName field, and the TenantID field (TenantID is determined automatically).
  5. Click Save.
  6. Restart the collectors to apply the changes and begin identifying event sources by the specified list of fields.

Source identification is configured.

To view events that are associated with an event source:

  1. In the KUMA Console, go to the Source status section.
  2. This opens the List of event sources window; in that window, select your event source in the list, and in the Name column, expand the menu for the selected event source, click the Events for <number> days button.

    KUMA takes you to the Events section, where you can view a list of events for the selected source over the last 5 minutes. Values of fields configured in the event source identification settings are automatically specified in the query. If necessary, in the Events section, you can change the time period in the query and click Run query again to view the queried data for the specified time period.

Limitations

  1. In a configuration with the default field set, KUMA registers the event source only if the raw event contains the DeviceProduct field and the DeviceAddress and/or DeviceHostName fields.

    If the raw event does not contain the DeviceProduct field and the DeviceAddress and/or DeviceHostName fields, you can:

    • Configure enrichment in the normalizer: on the Enrichment tab of the normalizer, select the Event data type, specify the Source field setting, and for the Target field, select the DeviceProduct + DeviceAddress and/or DeviceHostName and click OK.
    • Use an enrichment rule: select the Event data source type, specify the Source field setting, and as the Target field, select DeviceProduct + DeviceAddress and/or DeviceHostName, then click Create. The created enrichment rule must be linked to the collector at the Event enrichment step.

    KUMA will perform enrichment and register the event source.

  2. If KUMA receives events with identical values of the fields that identify the source, KUMA registers different sources if the following conditions are satisfied:
    • The values of the required fields are identical, but different tenants are determined for the events.
    • The values of the required fields are identical, but one of the events has an optional DeviceProcessName field specified.
    • The values of the required fields are identical, but the data in these fields have different character case.

If you want KUMA to log such events under the same source, you can further configure the fields in the normalizer.

Lists of sources are generated in collectors, merged in the KUMA Core, and displayed in the program web interface under Source status on the List of event sources tab. Data is updated every minute.

The rate and number of incoming events serve as an important indicator of the state of the observed system. You can configure monitoring policies such that changes are tracked automatically and notifications are automatically created when indicators reach specific boundary values. Monitoring policies are displayed in the KUMA Console under Source status on the Monitoring policies tab.

When monitoring policies are triggered, monitoring events are created and include data about the source of events.

In this section

List of event sources

Page top
[Topic 221645]

List of event sources

Sources of events are displayed in the table under Source statusList of event sources. One page can display up to 250 sources. You can sort the table by clicking the column heading of the relevant parameter and selecting Ascending or Descending.

You can use the Search field to search for event sources. The search is performed using regular expressions (RE2). You can also filter the table by the Status or Monitoring policy columns by clicking the heading of the relevant column and selecting the values that you want to display.

If necessary, you can configure the interval for updating data in the table. Available update periods: 1 minute, 5 minutes, 15 minutes, 30 minutes, 1 hour. The default value is No refresh. You may need to configure the update period to track changes made to the list of sources.

Viewing information about event sources

In the Source status → List of event sources section, information about event sources is displayed in the following columns:

  • Status—status of the event source:
    • Green—events are being received within the limits of the assigned monitoring policies.
    • Red—the frequency or number of incoming events go beyond the boundaries defined in at least one assigned monitoring policy.
    • Gray—monitoring policies have not been assigned to the source of events.

    If the status is red, an event of the Monitoring type generated. The monitoring event is generated in the tenant that owns the event source and is sent to the storage of the Main tenant (the storage must already be deployed in the Main tenant). If you have access to the tenant of the event source and do not have access to the Main tenant, you can still search for monitoring events in the storage of the Main tenant; the monitoring events of the tenants available to you will be displayed for you. You can also configure notifications to be sent to an arbitrary email address.

    The table can be filtered by status.

  • Name—name of the event source. The name is generated automatically from the values of fields configured in the event source identification settings.

    You can rename an event source in the table of event sources by hovering over its name and clicking the pencil pensil_icon icon. The name can contain no more than 128 Unicode characters.

  • Host name or IP address—name or IP address of the host from which the events originate if the DeviceHostName or DeviceAddress fields are specified in the event source identification settings.
  • Monitoring policy—list of the monitoring policies assigned to the event source.

    If you want to filter the list of event sources by applied monitoring policies, click the name of this column and select one or more monitoring policies. If necessary, you can find policies in the list using the Search field.

    You can view information about all monitoring policies assigned to an event source by clicking the row of the source. This opens a window that displays the settings of monitoring policies, as well as the status of the source according to each policy. If several monitoring policies are assigned to the source, the red status in the table of sources in this window lets you identify the policy that was triggered. You can also see which policies are enabled and which are disabled, and when the disabled policies will be enabled again.

  • Stream—frequency at which events are received from the event source. If only monitoring policies of the byCount type or monitoring policies of different types are assigned to the source, this value is displayed as the number of events. If only monitoring policies of the byEPS type are assigned to the source, or no policies are assigned, the value is displayed as the number of events per second.
  • Tenant—the tenant that owns the events received from the event source.

Managing event sources

You can select one or more event sources by selecting the check boxes in the first column of the table. You can select multiple event sources at once for performing group operations by selecting the check box in the heading of the first column and selecting Select all or Select all in page. The Select all in page option applies only to event sources displayed in the list: if only 500 out of 1500 sources are displayed in the list, then group actions to download, enable or disable policies, or delete event sources are applied only to the selected 500 sources. If you want to perform an action on all sources in the table, select Select all.

If you select sources of events, the following buttons become available:

  • The Enable policy button enables the monitoring policy for event sources. You must select policies in the displayed window to apply them.
  • You can use the Disable policy to disable the monitoring policy for event sources. When disabling a policy, you must specify if want to disable the policy temporarily or forever.
  • The Update policy button applies the monitoring policies that are enabled for the event sources, or change the monitoring policies that are already assigned. When a policy is updated, a task is started in the task manager.

    This button becomes available after you change the monitoring policies assigned to event sources.

  • You can click the Remove button to remove event sources from the table. The statistics on this source will also be removed. If a collector continues to receive data from the source, the event source will re-appear in the table but its old statistics will not be taken into account.

    If you want to delete all event sources, but some time has passed since the table was last refreshed, sources added during this time may not be displayed in the table, but they will be deleted regardless.

    If you delete more than 100,000 event sources to which a filter or search was applied, only the first 100,000 event sources will be deleted. You can select all filtered event sources again and delete them, and then repeat this until you have deleted all event sources that you intended to delete. You can delete over 100,000 event sources if no filters or searches are applied to them by selecting sources using the Select all button.

  • You can click CSV to download the data of the selected event sources to a CSV file.
  • You can click the Chart button to plot a chart of incoming events for the last seven days for the selected event sources. You can select up to five event sources

    .

Downloading event source information to a CSV file

You can download information about one or more event sources and the monitoring policies applied to them to a CSV file in UTF-8 encoding. If multiple monitoring policies are applied to a source, in the file for that source, each monitoring policy and its parameters starts on a new line. For each monitoring policy applied to a source, the following parameters are exported to the file: Status, Name, Monitoring policy, Lower limit, Upper limit, Stream, Tenant.

To download event source information to a CSV file:

  1. In the KUMA Console, in the Source status → List of event sources section, select one or more event sources in the table by selecting the check boxes in the first column next to the relevant sources.

    In the lower left part of the table, you can find the number of selected sources and the total number of sources in the table. You can select up to 150,000 event sources.

    You can select several event sources by clicking the check box in the heading of the first column selecting one of the following options:

    • Select all to select all event sources on all pages of the table. If you have used search to filter sources, this will select all sources that match the search query.
    • Select all in page to select all event sources on the currently displayed page. If you have used search to filter sources, this will select all sources on the currently displayed page that match the search query.
  2. Click the CSV button in the upper part of the table.

    Depending on the size of your browser window, the CSV button may be found in the additional menu that you can open by clicking on the icon with the three dots .

    A new event source export task is created in the task manager.

  3. Go to the Task manager section and find the created task.

    When the file is ready, the Status column of the task displays the Completed status.

  4. Click the task type name and select Download from the drop-down list.

The CSV file with event source information is downloaded in accordance with your browser settings. The default file name is event-source-list.csv.

Viewing the dynamics of incoming events

You can examine the dynamics of events received from a source over the last seven days, taking into account the applied monitoring policies, in one of the following ways:

  • View the graph for an individual event source.
  • Plot a chart based on graphs for several (up to five) sources.

You can view the graph for a single event source in the KUMA Console in the Source status → List of event sources section by clicking the arrow icon in the row of the relevant event source. The graph of incoming events is displayed under the row of the source.

The data in the graph is displayed as follows:

  • The data is displayed for the days on which the events were received. The maximum period is seven days.

    In the upper left corner above the graph, you can see the number of days, and in the upper right corner, the data display period. You can click the Events for <number> days button to go to the Events section and view the list of events for the selected source.

  • The X-axis represents days, and the Y-axis represents the frequency of events (EPS).
  • The lines represent the average, maximum, and minimum number of events for every 15-minute period during the last seven days.

    If you want to view the number of events at a specific time, hover over a point on the graph. A tooltip is displayed with the average, maximum, and minimum event count at a specific date and time.

You can also plot a chart of incoming events based on graphs for several event sources, for example, if you need to compare the activity of event sources of the same type that should behave in a similar way, but in fact behave in different ways.

To plot a chart based on graphs for multiple event sources:

  1. In the KUMA Console, in the Source status → List of event sources section, select one or more event sources in the table by selecting the check boxes in the first column next to the relevant sources.

    You can plot a chart for up to 5 event sources at the same time.

  2. Click the Chart button in the upper part of the table.

    Depending on the size of your browser window, the Chart button may be found in the additional menu that you can open by clicking on the icon with the three dots .

    The displayed Chart pane contains a chart of incoming events for all selected sources as well as a table that displays the current number of events, the maximum number of events, and the average number of events for each source, calculated based on the data from the chart. You can compare how the data for the selected sources relates to each other over time.

    The data in the chart is displayed as follows:

    • The data is displayed for the days on which the events were received. The maximum period is seven days.

      In the upper right corner above the chart, you can see the data display period.

    • The X-axis represents days, and the Y-axis represents the frequency of events (EPS).
    • The lines in the chart represent the average number of incoming events from the selected event sources for every 15-minute interval during the last seven days.

    You can hover over the chart to view the average number of events for each source at a specific time.

  3. If necessary, clear the check boxes in the table below the chart next to the event sources that you want to hide in the chart.
  4. If you want to display the diagram in more detail, click the two arrows icon to open the panel in full screen mode and zoom in on the diagram.
Page top
[Topic 221773]

Monitoring policies

The rate and number of incoming events serve as an important indicator of the state of the system. For example, you can detect when there are too many events, too few, or none at all. Monitoring policies are designed to detect such situations. In a policy, you can specify a lower threshold, an optional upper threshold, and the way the events are counted: by frequency or by total number.

The policy must be applied to the event source. You can apply one or more monitoring policies to a source. After applying the policy, you can monitor the status of the source on the List of event sources tab.

Policies for monitoring the sources of events are displayed in the table under Source statusMonitoring policies. You can sort the table by clicking the column header of the relevant setting. The maximum size of the policy list is not limited.

In the Sources column, you can click the Show button to view all event sources to which the policy is applied. When you click this button, you are taken to the List of event sources section, and the table of sources is filtered by the selected policy.

Algorithm of monitoring policies

Monitoring policies are applied to an event source in accordance with the following algorithm:

  1. The event stream is counted at the collector.
  2. The KUMA Core server gets information about the stream from the collectors every 15 seconds.
  3. The obtained data is stored on the KUMA Core server in the Victoria Metrics time series database, and the data storage depth on the KUMA Core server is 15 days.
  4. An inventory of event sources is taken once per minute.
  5. The stream is counted separately for each event source in accordance with the following rules:
    • If a monitoring policy is applied to the event source, the displayed maximum number of events is calculated in accordance with the currently applied monitoring policies for the time interval specified in the policy.

      Depending on the policy type, the number of the event stream is counted as the number of events (for the byCount policy type) or as the number events per second (EPS, for the byEPS policy type). You can look up how the stream is counted for the applied policy in the Stream column on the List of event sources page.

    • If no monitoring policy is applied to the event source, the number for the event stream corresponds to the last value.
  6. Once a minute, the application checks if any monitoring policies exist that must be applied to event sources or stopped according to the monitoring policy schedule.
  7. Once a minute, the stream of events is checked for compliance with policy settings.

If the event stream from the source crosses the thresholds specified in the monitoring policy, information about this is recorded in the following way:

  • A notification about a monitoring policy getting triggered is sent to the email addresses specified in the policy. For each policy, you can also configure a notification template.
  • A stream monitoring informational event of type 5(Type=5) is generated. The fields of the event are described in the table below.

    Fields of the monitoring event

    Event field name

    Field value

    ID

    Unique ID of the event.

    Timestamp

    Event time.

    Type

    Type of the audit event. For the audit event, the value is 5 (monitoring).

    Name

    Name of the monitoring policy.

    DeviceProduct

    KUMA

    DeviceCustomString1

    The value from the value field in the notification. Displays the value of the metric for which the notification was sent.

The generated monitoring event is sent to the following resources:

  • All storages of the Main tenant
  • All correlators of the Main tenant
  • All correlators of the tenant in which the event source is located

Adding a monitoring policy

To add a new monitoring policy:

  1. In the KUMA Console, under Source status → Monitoring policies, click Add policy and configure the monitoring policy in the displayed window:
  2. In the Policy name field, enter a unique name for the policy you are creating. The name must contain 1 to 128 Unicode characters.

    We recommend choosing a name that reflects the configured schedule of the monitoring policy.

  3. In the Tenant drop-down list, select the tenant that will own the policy. Your tenant selection determines the specific sources of events that can covered by the monitoring policy.
  4. In the Type field, select one of the following monitoring policy types:
    • by count—by the number of events over a certain period of time.
    • by EPS—by the number of events per second (EPS) over a certain period of time. The average value over the entire period is calculated. You can additionally track spikes during specific periods.
  5. In the Count interval field, specify the period during which the monitoring policy must take into account the data from the monitoring source. You can use the drop-down list on the right to select a value in minutes, hours, or days. The maximum value is 14 days.
  6. If you selected the by EPS policy type, in the Control interval, minutes field, specify the control time interval (in minutes) within which the number of events must cross the threshold for the monitoring policy to trigger:
    • If, during this time period, all checks (performed once per minute) find that the stream is crossing the threshold, the monitoring policy is triggered.
    • If, during this time period, one of the checks (performed once per minute) finds that the stream is within the thresholds, the monitoring policy is not triggered, and the count of check results is reset.

    If you do not specify the frequency of measurement, the monitoring policy is triggered immediately after the stream is found to cross the threshold.

  7. In the Lower limit and Upper limit fields, define the boundaries representing normal behavior. Deviations outside of these boundaries will trigger the monitoring policy, create an alert, and forward notifications.

    The Lower limit setting is required.

  8. In the Evaluation interval field, specify the frequency with which the VMalert service will query VictoriaMetrics for policy data while the policy is being applied to the event source. You can use the drop-down list on the right to select a value in minutes, hours, or days. The default interval is 5 minutes.

    When specifying the evaluation interval, keep in mind the policy schedule. For example, if you configured the policy to be applied once every few hours, we do not recommend configuring a short interval and causing excessive load on VictoriaMetrics.

  9. If necessary, in the Send notifications field, specify the email addresses to which notifications about the activation of the KUMA monitoring policy must be sent. To add an address, enter it in the field and press Enter or click Add. You can specify multiple email addresses.

    To forward notifications, you must configure a connection to the SMTP server.

  10. In the Notification template drop-down list, select the template that you want to use for notifications. If necessary, click the Create new button to start creating a new notification template.

    By default, the basic notification template is selected. You can reset the template selection and switch to the base template by clicking the X icon.

  11. In the Schedule section, configure how often you want to apply the monitoring policy to event sources. By default, the policy is applied every week, every day, from 00:00 to 23:59. To configure the monitoring policy schedule, do some of the following:
    • If you want to apply the monitoring policy weekly on specific days of the week:
      1. Enable the Configure schedule by days of the week toggle switch.
      2. In the Days of the week drop-down list, select the days of the week on which you want the policy to be applied to the source.

        If you want to clear the selection, click the X icon.

      3. In the Time field, specify the start and end time of the policy, with minute precision.

        The policy applicability interval is inclusive of its bounds; for example, if the end time is set to 23:59, the policy will be applied until 23:59:59.999. The default interval is 00:00 to 23:59. The start time must be earlier than the end time.

      4. If you want to add another period, click the Add period button and repeat steps 'b' and 'c'.

        You can add any number of periods.

    • If you want to apply the monitoring policy weekly on specific calendar dates:
      1. Enable the Configure schedule by days of the month toggle switch.
      2. Click the Days of the month field and use the calendar to select the dates on which you want to apply the policy to the source. You can select a period of several days or an individual day. The start date of the period must be earlier than the end date of the period.

        The dates are configured without a year value, so the policy will be applied annually on the specified days until you delete this period. If you want to clear the selection, click the X icon.

      3. In the Time field, specify the start and end time of the policy, with minute precision.

        The policy applicability interval is inclusive of its bounds; for example, if the end time is set to 23:59, the policy will be applied until 23:59:59.999. The default interval is 00:00 to 23:59. The start time must be earlier than the end time.

      4. If you want to add another period, click the Add period button and repeat steps 'b' and 'c'.

        You can add any number of periods.

      If you applied a schedule by day of the week and by day of the month at the same time, the day-of-the-month policy is applied first.

  12. Click Add.

The monitoring policy will be added.

Editing monitoring policies

The Source status → Monitoring policies section displays the added monitoring policies and their settings that you specified when creating the policy. You can click a policy to display a sidebar with all of its settings. If necessary, you can edit the policy settings in this sidebar.

If a monitoring policy is applied to an event source, if you edit certain policy settings, you may need to update the policy to apply the changes. Every 30 minutes, KUMA checks if any monitoring policies require updating, and if that is the case, it automatically runs a task to update those monitoring policies. You can also run the update task manually by clicking the Update policy button at the top of the table. One task updates all policies that need updating.

The Update policy button becomes active only if some monitoring policies need updating. Information about whether the policy needs updating is displayed in the table of monitoring policies in the Policy update status as one of the following statuses:

  • Update required if one of the following monitoring policy settings was edited, but the changes have not been applied to event sources:
    • Policy name
    • Type
    • Lower limit
    • Upper limit
    • Count interval
    • Control interval
    • Evaluation interval
  • Updated in any of the following cases:
    • After editing the policy, the task to apply the policy was started, and the changes were applied to event sources.
    • You have edited one of the following policy settings, which does not require starting the update task:
      • Send notifications
      • Notification template
      • Schedule

      In this case, the edited policy settings are applied to event sources after a minute. Changes of the Notification template setting are applied instantly.

    • The modified monitoring policy is not applied to event sources.

The date and time when the policy was last applied to event sources is displayed in the Policy last applied column.

While the policy update task is running, the Update policy button is unavailable for all users. If another user has edited the settings of the policy that necessitate an update, the Update policy button becomes active for you only after you refresh the page or edit the policy or an event source.

Applying monitoring policies

To apply monitoring policies to event sources:

  1. In the KUMA Console, in the Source status → List of event sources section, select one or more event sources in the table by selecting the check boxes in the first column next to the relevant sources. You can select several event sources by clicking the check box in the heading of the first column and selecting one of the following options:
    • Select all to select all event sources on all pages of the table. If you have used search to filter sources, this will select all sources that match the search query.
    • Select all in page to select all event sources that are loaded on the currently displayed page. If you have used search to filter sources, this will select all sources on the currently displayed page that match the search query.

    In the lower left part of the table, you can find the number of selected sources and the total number of sources in the table.

    After you select the event sources to which you want to apply the monitoring policy, the Enable policy button becomes available on the toolbar.

  2. Click Apply policy.
  3. This opens the Apply policy window; in that window, select one or more monitoring policies that you want to apply to the selected event sources. The table lists only monitoring policies that you can assign to the selected sources: policies that belong to the same tenant or to the Shared tenant, if you have access to it. If no shared policies exist for the selected event sources and you do not have access to the Shared tenant, the policy table is empty.

    To select all available policies, you can select the check box in the heading of the first column. You can also use context search by policy name or sort the policies by clicking the heading of the column by which you want to sort the table and selecting Ascending or Descending.

    Search and sorting is not available for the Sources, Schedule, Policy update status, Policy last applied columns.

  4. Click Apply.
  5. In the table of sources, click Update policy to apply the changes to event sources.

The monitoring policies are applied to the selected event sources; the status of these sources changes to green. The names of the policies applied to the sources are displayed in the Monitoring policy column. A message is also displayed indicating the number of sources to which the policies have been applied. If the monitoring policy is triggered for an event source, the new status of that source is displayed after you manually refresh the page or it is refreshed automatically. We recommend configuring an automatic data refresh period to keep track of changes in the list of sources.

If you have selected more than 100,000 event sources and applied one or more policies to them, these policies are applied only to the first 100,000 sources to which these policies have not yet been applied. If you need to apply policies to the remaining sources, you can do one of the following:

  • Select all sources again and apply the policies to them.
  • Filter the table of sources by any parameter so that the table displays less than 100,000 sources, then apply the policies to them.

Repeat the action until the policies have been applied to all the sources that you need.

Disabling monitoring policies

To disable monitoring policies for event sources:

  1. In the KUMA Console, in the Source status → List of event sources section, select one or more event sources in the table by selecting the check boxes in the first column next to the relevant sources.

    In the lower left part of the table, you can find the number of selected sources and the total number of sources in the table. After you select the event sources to which monitoring policies are applied in the list, the Disable policy button becomes available on the toolbar.

    You can select several event sources by clicking the check box in the heading of the first column selecting one of the following options:

    • Select all to select all event sources on all pages of the table. If you have used search to filter sources, this will select all sources that match the search query.
    • Select all in page to select all event sources that are loaded on the currently displayed page. If you have used search to filter sources, this will select all sources on the currently displayed page that match the search query.
  2. Click Disable policy.
  3. This opens the Disable policy window; in that window, select one or more monitoring policies that you want to disable for the selected event sources. The table lists all monitoring policies applied to at least one of the selected event sources.

    To select all available policies, you can select the check box in the heading of the first column. You can also use context search or sort the policies by clicking the heading of the column by which you want to sort the table and selecting Ascending or Descending.

    Search and sorting is not available for the Sources, Schedule, Policy update status, Policy last applied columns.

  4. In the settings section above the policy table, do one of the following:
    • If you want to temporarily suspend the policies, select For the specified time and specify the time in minutes, hours, or days after which the selected policies will be reapplied to event sources. Maximum values:
      • For days: 30
      • For hours: 743
      • For minutes: 44579
    • If you want to permanently disable the selected policies for event sources, select Until manually enabled.

    The default selection is For the specified time, and the value is set to 5 minutes.

  5. Click Disable.
  6. In the table of sources, click Update policy to apply the changes to event sources.

The monitoring policies are disabled for selected event sources or suspended for the specified time. The status of these sources in the table changes to gray. A message is displayed indicating the number of sources for which the policies have been disabled.

If you have selected more than 100,000 event sources and disabled one or more policies for them, these policies are disabled only for the first 100,000 sources to which these policies are applied. If you need to disable policies for the remaining sources, you can do one of the following:

  • Select all sources again and disable the policies for them.
  • Filter the table of sources by any parameter so that the table displays less than 100,000 sources, then disable the policies for them.

Repeat the action until the policies have been disabled for all the sources that you need.

Adding a new monitoring policy based on an existing policy

To create a new monitoring policy based on an existing policy:

  1. In the KUMA Console, in the Source status → Monitoring policies section, select the monitoring policy that you want to base the new policy on.

    If necessary, you can find monitoring policies in the list using the Search field. The search will be carried out in the following columns: Name, Tenant, Type, Schedule (name of the day and time).

  2. Click Duplicate policy.
  3. This opens the Add policy window, in which you can edit policy settings.

    By default, "- copy" is appended to the name of the new policy. The rest of the settings are the same as in the policy that you are duplicating.

  4. Click the Add button to create the new policy.

The monitoring policy is created based on an existing policy.

Deleting monitoring policies

To delete a monitoring policy:

  1. In the KUMA Console, in the Source status → Monitoring policies section, select one or more monitoring policies that you want to delete.

    If necessary, you can find monitoring policies in the list using the Search field. The search will be carried out in the following columns: Name, Tenant, Type, Schedule (name of the day and time).

  2. Click Delete policy and confirm the action.

The selected monitoring policies are deleted.

You cannot remove predefined monitoring policies or policies that are assigned to data sources.

Page top
[Topic 221775]