Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Error handling using incident information

There is a group of activities and situations on an appliance that is termed incidents. Incident information can be used by rules to trigger particular methods of error handling.

Incidents can be related to the appliance system, as well as to its subsystems and modules. For example, a failure of the Log File Manager to push log files is recorded as an incident.

Incidents can be used by rules to trigger a particular method of error handling, such as sending a notification message or creating an entry in the system log. To enable the use of incidents in rules, key incident parameters, including the ID, severity, origin, and others, are made available as properties.

For example, there is the Incident.ID property. A rule can use this property to trigger an event that creates a syslog entry if the value of the property is a particular number.

Rules using incidents

The Default rule set for error handling contains a nested rule set providing rules that trigger a notification message and other error handling events when incidents concerning the Log File Manager occur. The name of this nested rule set is Log File Manager Incidents. Other nested rule sets handle incidents related to updates and licensing.

You can also create rules and rules sets of your own that use incidents for error handling.

Incident parameters and properties

Incidents are recorded on an appliance with their IDs and other parameters. For each parameter, there is a property, which can be used in an appropriate rule.

  • Incident ID — Each incident is identified by a number. For example, the incident with ID 501 is a failure of the Log File Manager to push log files. The Incident.ID property can be used in a rule to check the ID of an incident.
  • Description — An incident can be explained by a description in plain text. The name of the relevant property is Incident.Description.
  • Origin — Each incident is assigned to the appliance component that is its origin. Origins are specified by numbers. For example, origin number 5 specifies the Log File Handler. The name of the relevant property is Incident.Origin.
  • OriginName — The origin of an incident is further specified by the name of the appliance component that is involved in the incident. The name of the relevant property is Incident.OriginName.
    The origin name can specify a subcomponent that is a part of the component specified by the origin number. For example, origin number 2 (Core) can be further specified by the origin name as:
    • Core
    • Proxy
    • URL Filter
    • and other names of core subcomponents
  • Severity — Each incident is classified according to its severity. Severity levels range from 0 to 7, with 0 indicating the highest level.
    These levels are the same as those used for entries in a syslog file.
    The name of the relevant property is Incident.Severity.
  • Affected host — If there is an external system that is involved in an incident, for example, a server that the appliance cannot connect to, the IP address of this system is also recorded. The name of the relevant property is Incident.AffectedHost.
  • Was this article helpful?