Description
Telemetry Monitoring is a subsystem of the agent that periodically collects CPU, storage/disk, memory, and network metrics of the system on which the agent is running. The primary purpose of Telemetry Monitoring is to enable an administrator to monitor system metrics of interest so they may take appropriate action depending on the values of the metrics.
Telemetry configurations can be created, viewed, modified and deleted from each Telemetry component page. There are 4 telemetry configuration pages for each component of the system - CPU, Disk, Memory, Network. In this document, the Telemetry CPU page will be described, but the other pages behave similarly.
Creating and Editing a Telemetry Monitor Configuration
When ‘Add' or 'Modify’ are selected as shown in Figure 1, the configuration editor form will be displayed as seen in Figure 2. Then the user can select the desired fields that control the telemetry data to be collected. The following procedure describes the available configuration settings that are available and how to configure them:
Schedule Configuration: This selects the frequency at which telemetry metrics are collected from the system. A user can use the drop-down selector at the top of the form in Figure 2 to configure the collection frequency. The available options are Minutely, Hourly, Midnight, or Custom. If custom is selected, the user will be prompted with an additional textbox where a cron format time must be provided. An example may be as follows:
In this example,
*/15 * * * *
was selected which schedules collection to be performed when the system time is a multiple of 15 minutes (00:00, 00:15, 00:30, …). Other examples may be:0 */6 * * *
defines a schedule that runs when the time is a multiple of 6 hours (00:00, 06:00, 12:00, 18:00)0 0 1 * *
defines a schedule that runs every month at midnight (1st Jan 00:00, 1st Feb 00:00, …)Metric Configuration: Users are provided checkbox options that select the metrics to be collected. For the example shown in Figure 2, there are 4 available CPU metrics that can be configured. If multiple are selected, then multiple events will be generated; there will be an event generated for each metric selected.
Severity Configuration: A severity level may be assigned to designate events based on the level of importance for quick identification for each destination format type ie., Snare, Syslog, CEF, LEEF using the drop down lists.
Snare - Critical, Priority, Warning, Information, Clear
Syslog - Emergency, Alert, Critical, Error, Warning, Notice, Info, Debug
CEF - 0 - 10, 0 is least severe and 10 is most severe
LEEF - 1 - 10, 1 is least severe and 10 is most severe
Saving and Applying Telemetry Monitor Configuration
To save and set the changes to the above settings, and to ensure the registry has received the new configuration perform the following:
Click on Change Configuration to save any changes to the registry and to return to the Telemetry Configuration main page. It will summarise the details of the log files to monitor.
Click on the Apply Configuration & Restart Service menu item.
To review the file integrity monitoring events, click on the Latest Events menu item and select the CPU Telemetry button. This will filter the display of latest events to only CPU Telemetry events. Note that no events will be generated unless there is a valid destination configured to which to send them.
The following screenshots show an example of a Telemetry CPU Configuration and the resultant events generated.