Alert on an HTTP Error code


#1

Getting to grips with EH for “POC”

One thing I would like to try and achieve is to create an admin alert when a “HTTP 50x” error code is detected in a packet.

Can’t quite figure it out.

Any help much appreciated.

Cheers

Rob


#2

You can find a guide here, but here are the rough steps for what you’re trying to do.

To do this you’ll start by creating a new alert. To do this go to the settings icon (gear) in the top right corner and click alerts.

In the resulting window click “new” next to the green plus in the top right corner to create an alert.

Give the alert a name and then click on the small gear icon next to the metric selection area.

You’ll then want to expand the device section since this will be looking at devices on the extrahop, scroll down to http and expand that, then expand server since you will be looking at devices acting as http servers rather than clients.

In that list you’re looking for rsp_error which will be any response with a 5xx error code. Select that and click ok.

This is probably that part that you got stuck at as it isn’t always obvious what the metric you want to alert on is. I’ll put a quick guide at the bottom of this response for how to find it.

Then in the bottom section configure your alert settings (for example you could use this configuration to alert when you see more than one error per second for two continuous minutes.

You’ll then want to configure notifications and a description in the appropriate tabs.

Once that is done click ok to save the alert. Then head over to the device or device group you want to assign the alert to (the devices for which you want to be notified of more than the set threshold of HTTP 5XX response codes).

You can follow this guide to assign the alert to the device: https://docs.extrahop.com/current/alerts-assign-source/

At that point you should be all set.

Here is the guide on how to find the metric info you need.

One way to find what you want is to search through the metric catalogue. This is something you may want to do before you start building the alert.

Click on the settings icon (gear in the top right corner) and select metric catalog. Search for the metric you want (HTTP errors) and select the metric you’re interested in.

On the right hand side scroll to the bottom of the window and look at the Rest API parameters which will look like this:

{
    "metric_category": "http_server",
    "object_type": "device",
    "metric_specs": [
        {
            "name": "rsp_error"
        }
    ]
}

This will give you a good guide for how to find the metric in the alert config guide. You can see this is a device metric (careful here as there are similar metrics for application containers) and that you’ll find it in http server, and that the name is rsp_error.


#3

I had already taken a punt on RSP_ERROR,

but it was trying to determine when the alert was triggered, the “ratio” confused me a bit.

have set it up as described and will see if it works.