With all the alerts, I want to be able to logically group them together.
This is related to Yoni’s post “Some rule tuning”
Here’s the categories I’m considering:
1) System resources - e.g. high cpu, memory, critical process(es) down, etc.
2) device manageability - e.g. no syslog server configured, debug mode enabled, license usage limit approaching etc.
3) network/connections - e.g. interfaces down, packet drops, etc.
4) security best practices - e.g. telnet enabled, snmp v2 used, etc.
5) device/vendor specific best practices - e.g. disable console logging, configure at least one syslog server, etc.
6) High availability/clustering
7) Routing Protocols
We can then assign severity by default to categories.
- Best practices are probably information.
- Device manageability is warning.
- The rest is error.
Any other category suggestion?
Thoughts on the default severity by categories?