Add files via upload

kapacitor/capLog.tick

@@ -0,0 +1,59 @@
+dbrp "sandboxav"."sandboxav"
+
+var name = 'capLog'
+
+var idVar = name
+
+var message = '{{ index .Tags "host" }} - {{.Level}} - {{.Time}}'
+
+var idTag = 'alertID'
+
+var levelTag = 'level'
+
+var messageField = 'message'
+
+var durationField = 'duration'
+
+var triggerType = 'threshold'
+
+var details = '''<!DOCTYPE html>
+<html>
+<head>
+<title>===== CaptureATP log status =====</title>
+</head>
+<body>
+<h1 style="color:red;"> CaptureATP Log Status Alert </h1>
+<p> /opt/sandboxav/logs/appliance.log not up-to-date. </p>
+<h2>Tags</h2>
+<p> host: {{ index .Tags "host" }} </p>
+</body>
+</html>'''
+
+var period = 1m
+var every = 1m
+
+var crit = 1
+
+var data = batch
+    |query('''
+        select count
+        from "sandboxav"."sandboxav"."filecount"
+    ''')
+        .period(period)
+        .every(every)
+        .groupBy('host')
+        .align()
+        .alignGroup()
+
+var trigger = data
+    |alert()
+        .crit(lambda: "count" < crit)
+        .message(message)
+        .details(details)
+        .id(idVar)
+        .idTag(idTag)
+        .levelTag(levelTag)
+        .messageField(messageField)
+        .durationField(durationField)
+        .stateChangesOnly()
+        .topic('sandboxav')

kapacitor/capPort.tick

@@ -0,0 +1,77 @@
+dbrp "sandboxav"."sandboxav"
+
+var name = 'capPort'
+
+var idVar = name
+
+var message = '{{ index .Tags "host" }} - {{.Level}} - {{.Time}}'
+
+var idTag = 'alertID'
+
+var levelTag = 'level'
+
+var messageField = 'message'
+
+var durationField = 'duration'
+
+var triggerType = 'threshold'
+
+var details = '''<!DOCTYPE html>
+<html>
+<head>
+<title>===== CaptureATP Port Alert =====</title>
+</head>
+<body>
+<h1 style="color:red;"> CaptureATP Port Status Alert </h1>
+<p> sandboxav port(80/12351) down. </p>
+<h2>Tags</h2>
+<p> host: {{ index .Tags "host" }} </p>
+<h2>Fields</h2>
+<p> 80: {{ index .Fields "http.p80" }}
+<p> 12351: {{ index .Fields "net.p12351" }}
+</body>
+</html>'''
+
+var period = 1m
+var every = 1m
+
+var crit = 0
+
+var http = batch
+    |query('''
+        select result_code as p80
+        from "sandboxav"."sandboxav"."http_response"
+    ''')
+        .period(period)
+        .every(every)
+        .groupBy('host')
+        .align()
+        .alignGroup()
+
+var net = batch
+    |query('''
+        select result_code as p12351
+        from "sandboxav"."sandboxav"."net_response"
+    ''')
+        .period(period)
+        .every(every)
+        .groupBy('host')
+        .align()
+        .alignGroup()
+
+var data = http
+    |join(net)
+        .as('http', 'net')
+
+var trigger = data
+    |alert()
+        .crit(lambda: "http.p80" == crit OR "net.p12351" == crit)
+        .message(message)
+        .details(details)
+        .id(idVar)
+        .idTag(idTag)
+        .levelTag(levelTag)
+        .messageField(messageField)
+        .durationField(durationField)
+        .stateChangesOnly()
+        .topic('sandboxav')

kapacitor/capProcess.tick

@@ -0,0 +1,63 @@
+dbrp "sandboxav"."sandboxav"
+
+var name = 'capProcess'
+
+var idVar = name
+
+var message = '{{ index .Tags "host" }} - {{.Level}} - {{.Time}}'
+
+var idTag = 'alertID'
+
+var levelTag = 'level'
+
+var messageField = 'message'
+
+var durationField = 'duration'
+
+var triggerType = 'threshold'
+
+var details = '''<!DOCTYPE html>
+<html>
+<head>
+<title>===== CaptureATP Process Alert =====</title>
+</head>
+<body>
+<h1 style="color:red;"> CaptureATP Process Status Alert </h1>
+<p> sandboxav daemon down. </p>
+<h2>Tags</h2>
+<p> host: {{ index .Tags "host" }} </p>
+<p> process: {{ index .Tags "keyword" }} </p>
+<h2>Fields</h2>
+<p> process number: {{ index .Fields "number" }} </p>
+</body>
+</html>'''
+
+var period = 1m
+var every = 1m
+
+var crit = 1
+
+var data = batch
+    |query('''
+        select number
+        from "sandboxav"."sandboxav"."maf_process"
+        where keyword = 'sandboxmain.py'
+    ''')
+        .period(period)
+        .every(every)
+        .groupBy('host', 'keyword')
+        .align()
+        .alignGroup()
+
+var trigger = data
+    |alert()
+        .crit(lambda: "number" < crit)
+        .message(message)
+        .details(details)
+        .id(idVar)
+        .idTag(idTag)
+        .levelTag(levelTag)
+        .messageField(messageField)
+        .durationField(durationField)
+        .stateChangesOnly()
+        .topic('sandboxav')

kapacitor/cpu.tick

@@ -0,0 +1,74 @@
+dbrp "sandboxav"."sandboxav"
+
+var name = 'cpu'
+
+var idVar = name
+
+var message = '{{ index .Tags "host" }} - {{.Level}} - {{.Time}}'
+
+var idTag = 'alertID'
+
+var levelTag = 'level'
+
+var messageField = 'message'
+
+var durationField = 'duration'
+
+var triggerType = 'threshold'
+
+var details = '''<!DOCTYPE html>
+<html>
+<head>
+<title>===== Cpu Alert =====</title>
+</head>
+<body>
+<h1 style="color:red;"> CPU Usage Alert </h1>
+<p> CPU usage alert. </p>
+<h2>Tags</h2>
+<p> host: {{ index .Tags "host" }} </p>
+<h2>Fields</h2>
+<p> cpu usage: {{ index .Fields "total" }}% </p>
+</body>
+</html>'''
+
+var period = 5m
+var every = 5m
+
+var warn = 90
+var crit = 95
+
+var infoSig = 2.5
+var warnSig = 3
+var critSig = 3.5
+
+var data = batch
+    |query('''
+        select 100 - mean(usage_idle) as total
+        from "sandboxav"."sandboxav"."cpu"
+        where cpu = 'cpu-total'
+    ''')
+        .period(period)
+        .every(every)
+        .groupBy('host', time(1m))
+        .align()
+        .alignGroup()
+
+var alert = data
+    |eval(lambda: sigma("total"))
+        .as('sigma')
+        .keep()
+
+var trigger = alert
+    |alert()
+        .warn(lambda: "total" > warn)
+        .crit(lambda: "total" > crit)
+        .message(message)
+        .details(details)
+        .id(idVar)
+        .idTag(idTag)
+        .levelTag(levelTag)
+        .messageField(messageField)
+        .durationField(durationField)
+        .stateChangesOnly()
+        .all()
+        .topic('system')