The monitoring system on a Smoothwall can trigger alerts when certain conditions occur. Some alerts have just a single condition, like services stopping or starting, before an alert is triggered. Others allow you to set threshold values for when alerts are triggered and those are the ones we will take a look at here.
Setting up alerts
To read more about alerts in the Smoothwall Filter & Firewall, see our help topic, Turning on instant alerts.
See our topic section Available alerts to see what each alert does. Here we will give additional information and best practices for configuring the thresholds of various alert types.
On the Alerts page, select a group and then select each type of alert the group should be receiving and click Save.
There are multiple alerts that give you the ability to adjust the threshold for sending out alerts. For those to be useful, the values often have to be adjusted from the defaults. The most relevant ones are:
This alert type will send out alerts when download usage exceeds certain thresholds over time.
There are various selections here that can be made and multiple alerts with different conditions can be turned on. This alert can be useful when trying to determine if bandwidth limiting should be implemented. Set an alert for 85% of the total download amount possible on the internet connection over 10 minutes and if this triggers often, a bandwidth limiter may be useful.
Here is a link to an article explaining a bit about bandwidth management on a Smoothwall system.
System resource alert
The system resource monitor will trigger when load average, memory or disk usage climbs above a certain threshold set in the system resource monitor settings shown below.
The load average value has to be adjusted for the appliance and workload in use - in general for the load average value, set this to the number of CPUs in the system or 10, whatever is the lowest. Memory and disk should be set about the 90% mark.
If the load average alert triggers often, it may be time to look at some of the services and adjust the workload the Smoothwall is asked to manage.
Service monitoring alert
This alert will trigger whenever a selected service stops, starts or restarts. The two items "Web proxy" and "Web filter" are not enabled by default - this is the Guardian web filter and the proxy engine it relies on, so always a good idea to enable those.
If any service is experiencing an outage, enabling the alert for the service here will allow you to keep closer track on service status changes - this should give you a better overview of when the issues appear and hopefully then a clue as to why the service is having issues.
Web filter violations alert
This alerts triggers if a single user is blocked according to the amounts in the settings over a 15 minute period. There are two thresholds that can be used - one sends out an alert worded as a Caution, the other as a Warning. This only affects the wording in the alert message.
This alert can be useful in order to find systems and devices that are being blocked when sending out automatic requests, like software updates or others, that cause a lot of blocking to be registered for the IP or user.
Web filter URL violations
This alert is a bit more specific in that you have to configure target URL and domains. If a user or IP address tries to access any of those, an alert gets generated. In this alert we also have two thresholds that can be used.
Similar to the web filter violations alerts, we also have one for the firewall. Again we have two thresholds available, this time called warning and incident. These alerts trigger on both blocked and logged traffic so make sure traffic auditing is not enabled or threshold values are adjusted appropriately, in the "Network - Settings - Advanced" menu, as the alert might otherwise trigger too often.
Again a useful alert if you suspect a system is spamming access requests to a blocked or unavailable destination.
This is meant for monitoring external services, not the Smoothwall itself. You can add a website address and the monitoring system accesses the URL, checks for the presence of particular keywords and if those are not found or access fails outright, it generates an alert.
The other services is used to check access to SSH or RDP servers, for example. If connection fails, it generates an alert.
You can do a DNS resolution test for a specific address, which triggers an alert if the resolution fails or is different from the expected result.
There are other types of alerts. The remaining ones generally have little to configure with regards to thresholds but all are useful in their own way.
As always, if you have any further questions, both support chat on this site and of course, the online manual can assist with answers.