- The Devo data analytics platform
- Getting started
- Domain administration
-
Sending data to Devo
-
The Devo In-House Relay
- Installing the Devo Relay
- Configuring the In-House Relay
- Relay migration
- Sending SSL/TLS encrypted events to the Devo relay
- Relay troubleshooting tips (v1.4.2)
- Event sources
- Other data collection methods
- Uploading log files
- Devo software
-
The Devo In-House Relay
-
Searching data
- Accessing data tables
-
Building a query
- Data types in Devo
- Build a query in the search window
- Build a query using LINQ
- Working with JSON objects in data tables
- Subqueries
-
Operations reference
-
Aggregation operations
- Average (avg)
- Count (count)
- First (first)
- First not null (nnfirst)
- HyperLogLog++ (hllpp)
- HyperLogLog++ Count Estimation (hllppcount)
- Last (last)
- Last not null (nnlast)
- Maximum (max)
- Median / 2nd quartile / Percentile 50 (median)
- Minimum (min)
- Non-null average (nnavg)
- Non-null standard deviation (biased) (nnstddev)
- Non-null standard deviation (unbiased) (nnustddev)
- Non-null variance (biased) (nnvar)
- Non-null variance (unbiased) (nnuvar)
- Percentile 10 (percentile10)
- Percentile 25 / 1st quartile (percentile25)
- Percentile 5 (percentile5)
- Percentile 75 / 3rd quartile (percentile75)
- Percentile 90 (percentile90)
- Percentile 95 (percentile95)
- Standard deviation (biased) (stddev)
- Standard deviation (unbiased) (ustddev)
- Sum (sum)
- Sum Square (sum2)
- Variance (biased) (var)
- Variance (unbiased) (uvar)
-
Arithmetic group
- Absolute value (abs)
- Addition, sum, plus / Concatenation (add, +)
- Ceiling (ceil)
- Cube root (cbrt)
- Division (div, \)
- Division remainder (rem, %)
- Floor (floor)
- Modulo (mod, %%)
- Multiplication, product (mul, *)
- Power (pow)
- Real division (rdiv, /)
- Rounding (round)
- Sign (signum)
- Square root (sqrt)
- Subtraction, minus / Additive inverse (sub, -)
-
Conversion group
- Duration (duration)
- Format date (formatdate)
- From base16, b16, hex (from16)
- From base64, b64 (from64)
- From UTF8 (fromutf8)
- From Z85, base85 (fromz85)
- Human size (humanSize)
- Make byte array (mkboxar)
- Parse date (parsedate)
- Regular expression, regexp (re)
- Template (template)
- Timestamp (timestamp)
- To base16, b16, hex (to16)
- To base64, b64, hex (to64)
- To BigInt (bigint)
- To boolean (bool)
- To Float (float)
- To image (image)
- To Int (int)
- To IPv4 (ip4)
- To IPv4 net (net4)
- To IPv6 (ip6)
- To IPv6 compatible (compatible)
- To IPv6 mapped (mapped)
- To IPv6 net (net6)
- To IPv6 translated (translated)
- To MAC address (mac)
- To string (str)
- To string (stringify)
- To UTF8 (toutf8)
- To Z85, base85 (toz85)
- Cryptography group
- Date group
- Flow group
- General group
-
Geolocation group
- Coordinates distance (distance)
- Geocoord (geocoord)
- Geographic coordinate system (coordsystem)
- Geohash (geohash)
- Geohash string (geohashstr)
- Geolocated Accuracy Radius with MaxMind GeoIP2 (mm2accuracyradius)
- Geolocated ASN (mmasn)
- Geolocated ASN with MaxMind GeoIP2 (mm2asn)
- Geolocated AS Organization Name with MaxMind GeoIP2 (mm2asorg)
- Geolocated AS owner (mmasowner)
- Geolocated City (mmcity)
- Geolocated City with MaxMind GeoIP2 (mm2city)
- Geolocated Connection Speed (mmspeed)
- Geolocated connection type with MaxMind GeoIP2 (mm2con)
- Geolocated Coordinates (mmcoordinates)
- Geolocated coordinates with MaxMind GeoIP2 (mm2coordinates)
- Geolocated Country (mmcountry)
- Geolocated Country with MaxMind GeoIP2 (mm2country)
- Geolocated ISP (mmisp)
- Geolocated ISP name with MaxMind GeoIP2 (mm2isp)
- Geolocated Latitude (mmlatitude)
- Geolocated Latitude with MaxMind GeoIP2 (mm2latitude)
- Geolocated Level 1 Subdivision with MaxMind GeoIP2 (mm2subdivision1)
- Geolocated Level 2 Subdivision with MaxMind GeoIP2 (mm2subdivision2)
- Geolocated Longitude (mmlongitude)
- Geolocated Longitude with MaxMind GeoIP2 (mm2longitude)
- Geolocated Organization (mmorg)
- Geolocated organization name with MaxMind GeoIP2 (mm2org)
- Geolocated Postal Code (mmpostalcode)
- Geolocated Postal Code with MaxMind GeoIP2 (mm2postalcode)
- Geolocated Region (mmregion)
- Geolocated Region Name (mmregionname)
- ISO-3166-1 Continent Alpha-2 Code (continentalpha2)
- ISO-3166-1 Continent Name (continentname)
- ISO-3166-1 Country Alpha-2 Code (countryalpha2)
- ISO-3166-1 Country Alpha-2 Continent (countrycontinent)
- ISO-3166-1 Country Alpha-3 Code (countryalpha3)
- ISO-3166-1 Country Latitude (countrylatitude)
- ISO-3166-1 Country Longitude (countrylongitude)
- ISO-3166-1 Country Name (countryname)
- Latitude (latitude)
- Latitude and longitude coordinates (latlon)
- Longitude (longitude)
- Parse geocoord format (parsegeo)
- Represent geocoord format (reprgeo)
- Round coordinates (gridlatlon)
- JSON group
- Logic group
-
Mathematical group
- Arc cosine (acos)
- Arc sine (asin)
- Arc tangent (atan)
- Bitwise AND (band, &)
- Bitwise left shift (lshift, <<)
- Bitwise NOT (bnot, ~)
- Bitwise OR (bor, |)
- Bitwise right shift (rshift, >>)
- Bitwise unsigned right shift (urshift, >>>)
- Bitwise XOR (bxor, ^)
- Cosine (cos)
- e (mathematical constant) (e)
- Exponential: base e (exp)
- Hyperbolic cosine (cosh)
- Hyperbolic sine (sinh)
- Hyperbolic tangent (tanh)
- Logarithm: base 2 (log2)
- Logarithm: base 10 (log10)
- Logarithm: natural / arbitrary base (log)
- Pi (mathematical constant) (pi)
- Sine (sin)
- Tangent (tan)
- Meta Analysis group
- Name group
-
Network group
- HTTP Status Description (httpstatusdescription)
- HTTP Status Type (httpstatustype)
- IP Protocol (ipprotocol)
- IP Reputation Score (reputationscore)
- IP Reputation Tags (reputation)
- IPv4 legal use (purpose)
- IPv6 host number (host)
- IPv6 routing number (routing)
- Is IPv4 (ipip4)
- Is Private IPv4 (isprivate)
- Is Public IPv4 (ispublic)
- Squid Black Lists Flags (sbl)
- Order group
-
Packet group
- Ethernet destination MAC address (etherdst)
- Ethernet payload (etherpayload)
- Ethernet source MAC address (ethersrc)
- Ethernet status (etherstatus)
- Ethernet tag (ethertag)
- EtherType (ethertype)
- Has Ethernet frame (hasether)
- Has IPv4 datagram (hasip4)
- Has TCP segment (hastcp)
- Has UDP datagram (hasudp)
- IPv4 destination address (ip4dst)
- IPv4 differentiated services (ip4ds)
- IPv4 explicit congestion notification (ip4ecn)
- IPv4 flags (ip4flags)
- IPv4 fragment offset (ip4fragment)
- IPv4 header checksum (ip4cs)
- IPv4 header length (ip4hl)
- IPv4 identification (ip4ident)
- IPv4 payload (ip4payload)
- IPv4 protocol (ip4proto)
- IPv4 source address (ip4src)
- IPv4 status (ip4status)
- IPv4 time to live (ip4ttl)
- IPv4 total length (ip4len)
- IPv4 type of service (ip4tos)
- TCP ACK (tcpack)
- TCP checksum (tcpcs)
- TCP destination port (tcpdst)
- TCP flags (tcpflags)
- TCP header length (tcphl)
- TCP payload (tcppayload)
- TCP sequence number (tcpseq)
- TCP source port (tcpsrc)
- TCP status (tcpstatus)
- TCP urgent pointer (tcpurg)
- TCP window size (tcpwin)
- UDP checksum (udpcs)
- UDP destination port (udpdst)
- UDP length (udplen)
- UDP payload (udppayload)
- UDP source port (udpsrc)
- UDP status (udpstatus)
- Statistical group
-
String group
- Contains (has, ->)
- Contains - case insensitive (weakhas)
- Contains tokens (toktains)
- Contains tokens - case insensitive (weaktoktains)
- Edit distance: Damerau (damerau)
- Edit distance: Hamming (hamming)
- Edit distance: Levenshtein (levenshtein)
- Edit distance: OSA (osa)
- Ends with (endswith)
- Format number (formatnumber)
- Hostname public suffix (publicsuffix)
- Hostname root domain (rootdomain)
- Hostname root prefix (rootprefix)
- Hostname root suffix (rootsuffix)
- Hostname subdomains (subdomain)
- Hostname top level domain (topleveldomain)
- Is empty (isempty)
- Is in (`in`, <-)
- Is in - case insensitive (weakin)
- Length (length)
- Locate (locate)
- Lower case (lower)
- Matches (matches, ~)
- Peek (peek)
- Replace all (replaceall)
- Replace first (replace)
- Shannon entropy (shannonentropy)
- Split (split)
- Split regexp (splitre)
- Starts with (startswith)
- Substitute (subs)
- Substitute all (subsall)
- Substring (substring)
- Trim both sides (trim)
- Trim the left side (ltrim)
- Trim the right side (rtrim)
- Upper case (upper)
-
Web group
- Absolute URI (absoluteuri)
- Opaque URI (opaqueuri)
- URI authority (uriauthority)
- URI fragment (urifragment)
- URI host (urihost)
- URI path (uripath)
- URI port (uriport)
- URI query (uriquery)
- URI scheme (urischeme)
- URI ssp (urissp)
- URI user (uriuser)
- URL decode (urldecode)
- User Agent Company (uacompany)
- User Agent Company URL (uacompanyurl)
- User Agent Device Icon (uadeviceicon)
- User Agent Device Information URL (uadeviceinfourl)
- User Agent Device Type (uadevicetype)
- User Agent Family (uafamily)
- User Agent Icon (uaicon)
- User Agent Information URL (uainfourl)
- User Agent is Robot (uaisrobot)
- User Agent Name (uaname)
- User Agent OS Company (uaoscompany)
- User Agent OS Company URL (uaoscompanyurl)
- User Agent OS Family (uaosfamily)
- User Agent OS Icon (uaosicon)
- User Agent OS Name (uaosname)
- User Agent OS URL (uaosurl)
- User Agent Type (uatype)
- User Agent URL (uaurl)
- User Agent Version (uaversion)
-
Aggregation operations
-
Working in the search window
-
Generate charts
- Affinity chord diagram
- Availability timeline
- Bipartite chord diagram
- Bubble chart
- Chart aggregation
- Custom date chart aggregation
- Flame graph
- Flat world map by coordinates
- Flat world map by country
- Google animated heat map
- Google area map
- Google heat map
- Graph diagram
- Histogram
- Pew Pew map
- Pie chart
- Pie layered chart
- Punch card
- Robust Random Cut Forest chart
- Sankey diagram
- Scatter plot
- Time heatmap
- Triple exponential chart
- Voronoi treemap
- Data enrichment
- Setting up a data table
- Advanced data operations
- Use case: eCommerce behavior analysis
-
Generate charts
- Managing your queries
- Best practices for data search
- Monitoring tables
-
Parsers and collectors
- About Devo tags
- Special Devo tags and data tables
-
List of Devo parsers
- Business & Consumer
- Cloud technologies
- Databases
- Host and Operating Systems
-
Network and application security
- auth.secureauth
- auth.securenvoy
- av.mcafee
- av.sophos
- box.iptables
- edr.cylance
- edr.fireeye.alerts
- edr.minervalabs.events
- endpoint.symantec
- firewall.checkpoint
- firewall.cisco firepower and vpn.cisco
- firewall.fortinet
- firewall.huawei
- firewall.juniper
- firewall.paloalto
- firewall.pfsense
- firewall.sonicwall
- firewall.sophos
- firewall.sophos.xgfirewall
- firewall.stonegate
- firewall.windows
- mail.proofpoint
- nac.aruba
- network.meraki
- network.versa
- proxy.bluecoat
- proxy.forcepoint
- proxy.squid
- uba.varonis
- vuln.beyondtrust
- vpn.pulsesecure.sa
- Network connectivity
- Web servers
- Technologies supported in CEF syslog format
- Collectors
- Activeboards
-
Dashboards
- Create a new dashboard
-
Working with dashboard widgets
- Availability timeline widget
- Chord diagram widget
- Circle world map widget
- Color key value widget
- Color world map widget
- Column chart widget
- Comparative chart widget
- Funnel widget
- Gauge meter widget
- Google heatmap widget
- Heat calendar widget
- Line chart widget
- Monitoring widget
- Pie chart widget
- Punch card widget
- Sectored pie chart widget
- Table widget
- Time heatmap widget
- Tree diagram widget
- Voronoi tree widget
- Configuring and sharing dashboards
- Alerts and notifications
- Panels
- Applications
- Tools
- Social Intelligence
- API reference
- Release notes
Pre-installed alert reference
There is a library of preconfigured alerts that are designed to work with queries built upon common networking data tables. You can activate these alerts to monitor conditions related to web servers, potential threats, Devo platform components, and much more.
Every Devo domain contains a set of these built-in alerts that you can activate and configure as soon your data is being sent to Devo. These alerts are built upon the logging data generated by common network resources like web servers; Windows, Mac, and Unix systems, and even from Devo itself. A simple category-subcategory system for grouping these alerts have been established to make it easier to browse the alerts.
Although you cannot edit or delete a pre-installed alert, you can otherwise work with the pre-installed alerts just as would with your own alerts. You can:
Go to Administration → Alert Configuration → Available Alerts to view these and all your user-defined alerts.
The Alerts Filter lets you filter the alerts that are displayed in the list by selecting alert category and subcategory. The category for all user-defined alerts is My Alerts - all other categories are used for the predefined alerts.
If you want to know the specific conditions associated to an alert, you can check it on this screen. Hover over an alert row, click the ellipsis icon that appears at the end of the row and select More Info. The following table lists and describes the standard, predefined alerts provided by Devo.
Category | Subcategory | Alert | Description |
---|---|---|---|
Application Server | Apache Tomcat Server | Tomcat Startup | Triggers an alert when a Tomcat server has been started. |
Application Server | Apache Tomcat Server | Tomcat Shutdown | Triggers an alert when a Tomcat server has been shut down. |
Application Server | Apache Tomcat Server | Tomcat common errors | Triggers an alert when a common error is reported in a Tomcat server. For example, out of memory, max open files, database exception, servlet exception, and so on. |
Application Server | Apache Tomcat Server | Tomcat too many GCs | Triggers an alert when there have been too many garbage collection in a short period of time. |
Application Server | Apache Tomcat Server | Tomcat GC max time exceeded | Triggers an alert when a garbage collection takes too much time to run, having a possible adverse effect on service performance. |
Application Server | Apache Tomcat Server | Tomcat severe errors | Triggers an alert when too many severe errors occur in a short period of time. |
Application Server | JBoss Server | JBoss Startup | Triggers an alert when JBoss starts. |
Application Server | JBoss Server | JBoss Shutdown | Triggers an alert when JBoss is shut down. |
Application Server | JBoss Server | JBoss common errors | Triggers an alert when a common error is reported in a JBoss server. For example, out of memory, max open files, database exception, servlet exception, and so on. |
Attacks | Suspicious Activity | Malicious IP Addresses | Triggers an alert when activity from blacklisted IP addresses (Alienvault OTX and TOR Network's output nodes lists) are detected in the customer logs. |
Attacks | Suspicious Activity | Malware Domains | Triggers an alert when the customer server DNS logs report attempts to resolve domain names listed in malwaredomainlist.com and abuse.ch. |
Attacks | Suspicious Activity | Malware URLs | Triggers an alert when the proxy navigation logs report accesses to URLs that are listed in the malwaredomainlist.com blacklist. |
Attacks | Scanning | PortScan | Triggers an alert when a port scan is recorded in the firewall log. |
Attacks | BruteForcing | SSH Bruteforcing | Triggers an alert when a SSH brute force attack, successful or not, has been detected in a server log. |
Attacks | BruteForcing | DeskTop | Triggers an alert when an RDP attack, successful or not, has been detected in the Windows log. |
Attacks | Geolocation | Unusual Connection | Triggers an alert when there is a connection from an unusual geolocation. |
Devo | Collector | Logs format errors | Triggers an alert when you are sending logs with an incorrect format. |
Devo | Structural common alerts | Reminder | Triggers an alert every "x" minutes while an antiflooding policy is active. |
Devo | Structural common alerts | Recovery | Triggers an alert when an Antiflooding policy finishes. |
Devo | Structural common alerts | Antiflooding Start | Triggers an alert when an Antiflooding policy starts. |
Monitoring | NetWork | Data Sent | Monitors the system outbound traffic in bytes/second. Default policy: avg(netSent)>=8 megabytes/second in a 10 min interval. |
Monitoring | NetWork | Data Received | Monitors the inbound traffic in bytes/second. Default policy: avg(netRecv)>=8 megabytes/second in a 10 min interval. |
Monitoring | Relay | Events Per Second | Monitors the traffic volume handled by an In-house Relay in Events Per Second (EPS). Default policy: avg(eps)>=5000 in a 10 min interval. |
Monitoring | Relay | Events Per Minute | Monitors the traffic volume managed by an In-house Relay in Events Per Minute (EPM). Default policy: avg(epm)>=300.000 in a 10 min interval. |
Monitoring | Machine Load | Load Alert | Monitors the machine load. Default policy: avg(load)>=4 in a 5 min interval. |
Monitoring | Generic Monitoring | Staying Alive | Monitors if the service is active. |
Monitoring | Generic Monitoring | Site Availability | Monitors the site availability. |
Monitoring | CPU Monitoring | CPU Alert A | Monitors the systems CPU load. Default policy: avg(CPU)>75% in a 1 h interval. |
Monitoring | CPU Monitoring | CPU Alert B | Monitors the systems CPU load. Default policy: avg(CPU)>90% in a 15 min interval. |
Monitoring | Memory Monitoring | Available Memory A | Monitors the amount of memory available in the system. Default policy: memFree<=2% in a 10 min interval. |
Monitoring | Memory Monitoring | Available Memory B | Monitors the amount of memory available in the system. Default policy: memFree<=10% in a 1h interval. |
Monitoring | Disk Monitoring | Disk Alert A | Monitors the amount of free disk space available in the system. Default policy: diskFree<=10% in a 1h interval. |
Monitoring | Disk Monitoring | Disk Alert B | Monitors the amount of free disk space available in the system. Default policy: diskFree<=2% in a 30 min interval. |
System | Unix/Linux | Unix Critical Error | Triggers an alert when a serious error occurs on a Linux system, such as segmentation faults, potential kernel panics, I/O errors, reboots, rsyslogstart/stop, or others. |
System | Unix/Linux | Unix Kernel Oops | Triggers an alert when a Kernel Oops message has been written to the log. |
System | Unix/Linux | APT Packages | Triggers an alert when a package is added to or deleted from the system. |
System | Windows | Windows Critical Error | Triggers an informative alert about general errors that have occurred on a Windows system. |
System | MacOs | MacOs Critical Error | Triggers an informative alert about general errors that have occurred on a MacOs systems |
System | BSD | BSD Critical Error | Triggers an informative alert about general errors that have occurred on BSD system. |
System | VmWare | VmWareCritical Error | Triggers an informative alert about general errors that have occurred in the VMware virtualization product logs. |
Tracking | User | Tracking User | Triggers an informative alert about the connections and activities of a specific user within the customer's system. |
Web Server | IIS | IIS Critical Error | Triggers an alert when a critical error has been reported in the IIS Server. |
Web Server | Generic | SSL Warning | Triggers an alert when an SSL Warning has been reported in the Web Servers. |
Web Server | HTTP Attack | Malicious HTTP Methods | Triggers an alert when an uncommon HTTP method such as PUT or webDAV extensions has been used. Depending on the service, these may not be malicious. |
Web Server | HTTP Attack | Proxy Abuse | Triggers an alert when there has been an attempt to use the web server as a proxy with the goal of accessing external or internal resources. Depending on the service, these may not be malicious. |
Web Server | HTTP Attack | SuspiciousUser Agent | Triggers an alert when the web server reports activity from unusual browsers or tools used to automate tasks. |
Web Server | Apache | Apache Critical Error | Triggers an alert when an Apache critical error such as segfault or PHP fatal error has been reported. |
Web Server | Apache | Apache common errors | Triggers an alert when an Apache generic error has been reported. |
Web Server | Apache | Apache Invoke dir as script | Triggers an alert when the Apache error "Attempt to invoke directory as script" has been reported. |
Web Server | Apache | Apache client denied by server conf | Triggers an alert when there has been an attempt to access a resource that is forbidden or not stored under DocumentRoot. |
Web Server | Apache | Apache FQDN server name not resolved | Triggers an alert when the server name is not associated with a fully qualified domain name (FQDN). |
Web Server | Apache | Apache bind to address fail | Triggers an alert when an Apache server can't bind the specified listening port. This is often because it is in use by another service, due to SELinux/AppArmor policies. |
Web Server | Apache | Apache favicon not found | Triggers an alert when the web server does not have a favicon. |
Web Server | Apache | Apache too many 404 errors | Triggers an alert when there are too many 404 Not Found errors in a short period of time. This can be caused by resource scans or broken links in the web application. |
Web Server | Apache | Apache mixing ports error | Triggers an alert when there has been an Apache configuration error in virtual hosting environments. |
Web Server | Apache | Apache PHP fatal error | Triggers an alert when there are too many PHP errors. |
Web Server | Apache | Apache too many byte range requests | Triggers an alert when there have been too many 206 Partial Content requests in a short period of time. This can be caused by massive downloads or a possible Apache Range Header DoS attack. |
Web Server | Apache | Apache Shutdown | Triggers an alert when the Apache server has been shut down. |
Web Server | Apache | Apache Startup | Triggers an alert when the Apache server has been started. |
Web Server | Apache | Apache SSL Heartbleed | Triggers an alert when the Heartbleed bug has been detected. |
Web Server | Apache | Apache Multiple SSL heartbeat requests | Triggers an alert when there has been more than one SSL heartbeat request made to the Apache Server. |
Related articles: