cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
15217
Views
22
Helpful
9
Replies

Configuring SNMP Alerts

Mike Kwilosz
Level 1
Level 1

Does anyone have any experience with configuring SNMP alerts on C-Series appliances?  I'm interested in receiving alerts when there's a certain amount of emails in the workqueue.  Is this possible?

We experienced an issue the other day where we received an exorbitant amount of email at one time from one specific sender and the workqueue was backed up.  It would have been nice to receive alerts on this so we could more effectively eliminate the issue.  If anyone has another suggestion to receiving notification through SNMP alerts on a high amount of messages in the workqueue please let me know.  I'm open to other ideas.  I just thought this might be the most effective way.

Thanks!

Mike

2 Accepted Solutions

Accepted Solutions

Rayman_Jr
Level 1
Level 1

We are using SNMPv2 to get some statistics out from C-Series appliances and alerts are triggered based on the thresholds.

If you want to monitor workqueue you can query the following SNMP item

Key: workQueueMessages.0

SNMP OID: .1.3.6.1.4.1.15497.1.1.1.11.0

That will give you the number of messages which are in the workqueue.

Attached is exported list of IronPort specific SNMP items from C670 (other models might have different number of items due different setup)

View solution in original post

viahmed
Cisco Employee
Cisco Employee

Hi Mike,

Apart from SNMP monitoring, you can also use  following message filter which checks the workqueue count and send alert  to the specified address.

-------------

wqfull:
if (workqueue-count > 1000)

{

notify('admin@example.com');

}

------------

Cheers,

Viquar Ahmed

Customer Support Engineer Cisco IronPort

View solution in original post

9 Replies 9

Rayman_Jr
Level 1
Level 1

We are using SNMPv2 to get some statistics out from C-Series appliances and alerts are triggered based on the thresholds.

If you want to monitor workqueue you can query the following SNMP item

Key: workQueueMessages.0

SNMP OID: .1.3.6.1.4.1.15497.1.1.1.11.0

That will give you the number of messages which are in the workqueue.

Attached is exported list of IronPort specific SNMP items from C670 (other models might have different number of items due different setup)

viahmed
Cisco Employee
Cisco Employee

Hi Mike,

Apart from SNMP monitoring, you can also use  following message filter which checks the workqueue count and send alert  to the specified address.

-------------

wqfull:
if (workqueue-count > 1000)

{

notify('admin@example.com');

}

------------

Cheers,

Viquar Ahmed

Customer Support Engineer Cisco IronPort

Thank you for both of the replies!  I'm going to try and configure the SNMP portion today.  I spoke with Cisco yesterday after I posted and they recommended using the Message Filter that Viahmed provided.  I've put that in place and it currently is working.  I'm hoping the SNMP alerts will work also.

Thank you!

Mike

The first time I saw this post it opened my eyes a lot.  Using a message filter to monitor the system and send an alert.  Who would have thought..  

Anyway, would there be something along these same lines for ActiveRecipients?  I would like to get an e-mail alert when activerecipients count goes over a threshold...

something like this?

ActiveReceipients:

if (activerecipients?? > 1000)

{

notify(me@myplace.com);

}

Anyone?

Hi Jason,

We dont have such filter option or alert system for delivery queue with currrent version of AsyncOS but we do have an enhancement request filed inhouse. You can track this enhancement request with ID 66446 in future releases.

Thanks,

Viquar

Customer Support Engineer

Thanks Viquar, maybe you can help me with the issue that I'm dealing with.

We have roughly 4000 internal SMTP servers that send e-mail to the internet via our IronPort cluster.  These IPs are everything from USB temperature gauges to an Exchange org. with 20K mailboxes.   Every once in a while something goes haywire and a lot of e-mail gets generated internally.  Either a virus generating a lot of e-mail, an application getting stuck in a loop, or a user configuring an Outlook Rule to send all mail to an external address that is being bounced back to them.

What I'm looking for is some kind of alert when e-mail volume or maybe e-mail rate goes through the roof.

One of the things that I've been researching is implementing rate limiting on outbound e-mail by IP address.  The problem is that all of these 4,000 internal SMTP servers are allowed access due to a 10.* entry in our HAT today.  So to get rate limiting going I would have to identify all of those servers and then determine the rate that would be good for each of them that would allow normal traffic but stop at the right point when an issue is occurring.  Due to the work that would take I was hoping for something along the lines of an alert when overall mail rate on the IronPort cluster goes higher than X, not knowing what X is yet...   Probably configure it something high and then slowly change it to a lower setting until I started getting alerts.

Anything like that exist?

Jason Meyer

Hello Jason,

In our lab and DMZ I'm using an external monitoring system that triggers an email to me when the messages per hour limit crosses a given warning and critical threshold. I'm not using an SNMP query here but that status.xml API on the appliance that is read out on a frequent base by the monitoring system. It works for me and gives an per-appliance view of the current traffic no matter where it originates from. Probably something for you as well?

Thanks and regards,

Martin

Oh forgot to mention: you can also monitor active recipients, work queue, RAM Utilization, all feature keys running time, oldest message time and many more via the http://hostname.example.com/xml/status.xml page on the appliance (pretty much you can monitor all the stuff provided on the CLI command 'status detail' with this). With a monitoring ystem at hand that can process this info you can trigger email alerts whenever required.

Message was edited by: Martin Eppler

Hi Martin,

 

                Could you please tell me what external monitoring system that you are using?

 

We are looking into this as a potential solution for our need to monitor the Active Recipients queue.

 

Thank you!

Evan

Hi Everybody,

Is there any update about monitoring 'Active Recipients'? Is there any filter or SNMP OID to send an alert when Active Recipients has reached a threshold?

Thanks,

Luis H.