You can define rules to store only specific alerts in the database so that the database does not get overloaded. You can also define retention policies to automatically close and delete alerts after a specific duration.
This section provides information about the following:
You can configure alert routing rules to filter the alerts and choose to either store the alerts in the Sentinel database or drop the filtered alerts. For example, if you want to exclude the alerts involving the initiator user Albert, you can configure the rule criteria to drop all the alerts with the initiator user name Albert.
Sentinel evaluates the alert routing rules on a first-match basis in top-down order and applies the first matched alert routing rule to alerts that match the filter criteria. If no routing rule matches the alerts, Sentinel applies the default rule against the alerts. The default routing rule stores all the alerts generated in Sentinel.
To create an alert routing rule to filter the alerts:
From Sentinel Main, click Routing > Alert Routing Rules > Create.
Specify the following information:
Name: Specify a name for the alert routing rule.
Criteria: Specify the criteria to filter alerts.
Action: Select either of the following options:
Store: Stores the filtered alerts in the alert store.
Drop: Drops or ignores the alerts that match the specified criteria.
WARNING:If you select Drop, the filtered alerts are lost permanently.
Enable: Allows you to enable the alert routing rule. By default, this option is deselected.
Click Save to save the alert routing rule.
When there is more than one alert routing rule, you can reorder the alert routing rules by dragging them to a new position or by using the Reorder option. Alert routing rules evaluate alerts in the specified order until a match is made, so you should order the alert routing rules accordingly. Place more narrowly defined alert routing rules and more important alert routing rules at the beginning of the list.
Sentinel processes the first routing rule that matches the alert based on the criteria. For example, if an alert passes the criteria for two routing rules, only the first rule is applied. The default routing rule always appears at the end.
From Sentinel Main, click Routing > Alert Routing Rules.
Perform either of the following:
Drag the alert routing rule to the desired position in the ordered list.
Click Reorder, specify the desired position in the ordered list, and click Save.
The alert retention policies control when the alerts should be closed and deleted from Sentinel. You can configure the alert retention policies to set the duration to automatically close and delete the alerts from Sentinel.
To configure the alert retention policy:
From Sentinel Main, click Storage > Alerts Retention.
Specify the following information:
Specify the number of days from the date of creation of alerts, after which the alert status is set to closed.
Specify the number of days from the date of closure of alerts, after which the alerts are deleted from Sentinel.
Click Save to save the alert retention policy.
Sentinel checks for closure and deletion of alerts once every day, at midnight.