DNS server response time slow-bluecoat-sgos

DNS server response time slow-bluecoat-sgos
0

DNS server response time slow-bluecoat-sgos

Vendor: bluecoat

OS: sgos

Description:
indeni will trigger an issue when a DNS server takes too long to respond.

Remediation Steps:
Identify any network and server issues which may be causing this.

How does this work?
Indeni logs on to the device and executes the command “show health-checks statistics”.

Why is this important?
Slow DNS lookups could impact production traffic negatively by causing delays for client requests.

Without Indeni how would you find this?
An administrator could login and manually run the command.

bluecoat-show-health-checks-statistics

name: bluecoat-show-health-checks-statistics
description: Get DNS servers states and response times
type: monitoring
monitoring_interval: 5 minutes
requires:
    vendor: bluecoat
    os.name: sgos
comments:
    dns-server-state:
        why: |
            Even though DNS servers are configured, that does not guarantee that they work. Many products require a fully functional DNS server being set.
        how: |
            Using the built-in "dig" command, each configured DNS server on the device is sent a query to resolve www.indeni.com
        without-indeni: |
            An administrator could login and manually run the command.
        can-with-snmp: false
        can-with-syslog: false
    dns-response-time:
        why: |
            Slow DNS lookups could impact production traffic negatively by causing delays for client requests.
        how: |
            Indeni logs on to the device and executes the command "show health-checks statistics".
        without-indeni: |
            An administrator could login and manually run the command.
        can-with-snmp: false
        can-with-syslog: false
    dns-average-response-time:
        skip-documentation: true
    bluecoat-icap-state:
        why: |
            The ProxySG device is integrating with a variety of different services like ICAP. It is important to monitor the current state of the service.
        how: |
            Indeni logs in over SSH and executes "show health-checks statistics". The output includes the current icap state.
        without-indeni: |
            Login via HTTPS (Port 8082) to the Bluecoat ProxySG and go to the menu Statistics> Health Checks and review the state of each service.
        can-with-snmp: false
        can-with-syslog: true
    bluecoat-process-state:
        why: |
            The ProxySG device is integrating with a variety of different services like ICAP and DTTR. It is important to monitor the current state of the services, otherwise the organization might suffer from security risks and unavailability of external resources.
        how: |
            Indeni logs in over SSH and executes "show health-checks statistics".  The output includes the current state of each service.
        without-indeni: |
            Login via HTTPS (Port 8082) to the Bluecoat ProxySG and go to the menu Statistics> Health Checks and review the state of each service.
        can-with-snmp: false
        can-with-syslog: true
    identity-integration-connection-state:
        why: |
            It is important to make sure that the connectivity between the ProxySG and the authentication servers is up and running.
        how: |
            Indeni logs in over SSH and executes "show health-checks statistics".  The output includes the current state of each service.
        without-indeni: |
            Login via HTTPS (Port 8082) to the Bluecoat ProxySG and go to the menu Statistics -> Health Checks and review the state of the authentication services.
        can-with-snmp: false
        can-with-syslog: true
    auth-response-time:
        why: |
            Slow authentication connectivity could impact production traffic negatively by causing delays for authenticated client requests.
        how: |
            Indeni logs on to the device and executes the command "show health-checks statistics".
        without-indeni: |
            An administrator could login and manually run the command.
        can-with-snmp: false
        can-with-syslog: false
    bluecoat-external-rating-service-state:
        skip-documentation: true
    auth-average-response-time:
        skip-documentation: true
steps:
-   run:
        type: SSH
        command: show health-checks statistics
    parse:
        type: AWK
        file: show-health-checks-statistics.parser.1.awk

cross_vendor_dns_server_response_time

package com.indeni.server.rules.library.core
import com.indeni.apidata.time.TimeSpan
import com.indeni.ruleengine.expressions.conditions.GreaterThanOrEqual
import com.indeni.ruleengine.expressions.core.{StatusTreeExpression, _}
import com.indeni.ruleengine.expressions.data._
import com.indeni.ruleengine.expressions.math.AverageExpression
import com.indeni.server.common.data.conditions.True
import com.indeni.server.params.ParameterDefinition
import com.indeni.server.params.ParameterDefinition.UIType
import com.indeni.server.rules._
import com.indeni.server.rules.library.{PerDeviceRule, RuleHelper}
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity


case class DnsServerTooSlowRule() extends PerDeviceRule with RuleHelper {

  private[library] val highThresholdParameterName = "Ahead_Alerting_Threshold"
  private val highThresholdParameter = new ParameterDefinition(highThresholdParameterName,
    "",
    "Response Time Threshold (ms)",
    "If a DNS server's response time is higher than this, an issue will be triggered.",
    UIType.DOUBLE,
    150)

  override val metadata: RuleMetadata = RuleMetadata.builder("cross_vendor_dns_server_response_time", "DNS server response time slow",
    "indeni will trigger an issue when a DNS server takes too long to respond.", AlertSeverity.ERROR, categories = Set(RuleCategory.HealthChecks), deviceCategory = DeviceCategory.AllDevices).configParameter(highThresholdParameter).build()

  override def expressionTree(context: RuleContext): StatusTreeExpression = {
    val actualValue = AverageExpression(TimeSeriesExpression[Double]("dns-response-time"))

    StatusTreeExpression(
      // Which objects to pull (normally, devices)
      SelectTagsExpression(context.metaDao, Set(DeviceKey), True),

      // What constitutes an issue
      StatusTreeExpression(

          // The additional tags we care about (we'll be including this in alert data)
          SelectTagsExpression(context.tsDao, Set("dns-server"), True),

        StatusTreeExpression(
              // The time-series we check the test condition against:
              SelectTimeSeriesExpression[Double](context.tsDao, Set("dns-response-time"), historyLength = ConstantExpression(TimeSpan.fromMinutes(60)), denseOnly = false),

              // The condition which, if true, we have an issue. Checked against the time-series we've collected
              GreaterThanOrEqual(
                actualValue,
                getParameterDouble(highThresholdParameter))

              // The Alert Item to add for this specific item
            ).withSecondaryInfo(
                scopableStringFormatExpression("${scope(\"dns-server\")}"),
                scopableStringFormatExpression("This server's response time is: %.0f ms", actualValue),
                title = "Affected Servers"
            ).asCondition()
        ).withoutInfo().asCondition()


      // Details of the alert itself
    ).withRootInfo(
        getHeadline(),
        ConstantExpression("One or more DNS servers have a high response time. This may slow down critical system processes."),
        ConstantExpression("Identify any network and server issues which may be causing this.")
    )
  }
}