Collecting and aggregrating logs is only one piece of a log management strategy. The second piece is being able to quickly identify when an event occurs that requires action.
We help achieve this level of awareness via our notification engine.
Trunc provides a powerful notification engine that allows an administrator to configure pre-defined notifications based on industry standard events, or based on custom events created by an organization. This help document shows you how to access and how to configure notifications.
Configure Trunc Notifications
Trunc alows you to configure Slack and Email notifications.
Access the notifications via the Alerts page.
By default, the system will use the email for your account as the default notification option.
Enable any of the predefined alert notifications and the system will start working automatically. By default the settings are all disabled (set to Quiet, toggle to Alerting to enable).
Predefined Notifications
By default we offer 10 predefined alerts you can enable. They are grouped into logical groupings – System Availability Alerts, Security Activity Alerts, Web Activity Alerts, and Other Alerts.
System Availability Alert
| Name | Description |
|---|---|
| Disk Space Full | Alerts on logs regarding the disk being full |
| Low Memory | Alerts on logs related to low memory. |
| System Crash | Alerts on logs that may indicate a system crash. |
Security Activity Alert
| Name | Description |
|---|---|
| Failed ‘sudo’ attempt | Alerts whenever Linux ‘sudo’ authentication fails |
| Failed ‘su’ attempt | Alerts whenever Linux ‘su’ authentication fails |
| Brute Force attempt | Alerts whenrver a brute force attack is detected |
| Brute Force attempt success | Alerts on brute force attacks followed by a success |
| New user added | Alerts when new users are added |
| New application installed | Alerts when a new application is installed |
Web Actvity Alerts
| Name | Description |
|---|---|
| Web server errors | Alerts if multiple web servers errors are detected |
| HTTP 404 Errors | Alerts if multiple 404 errors from the same IP address are detected. Likely a web recon scan. |
| HTTP 500 Errors | Alerts if multiple 500 errors from the same IP address are detected. Might indicate an attack or web scan. |
Other Alerts
| Name | Description |
|---|---|
| Service availability | Alerts on logs that indicate an availability issue |
| System limit reached | Alerts whenever a system limit is reached. |
| New package added or removed | Alerts whenever we detect a new package being installed or removed |
Custom Configurations
In addition to the predefined alerts, you have the option to create your own alerts using the alert generation card.
This card is found at the bottom of the Alerts page:
All custom alerts get added to notification addresses in your account. If you have five accounts, all five will get the new alert rule.