Event Monitors
Descriptions of the event monitors you can set in the Conductor to monitor your Airwall secure network
Airwall online / offline
Detects when an Airwall Edge Service connects to or disconnects from the Conductor. An Airwall can only receive configuration or policy changes while it is connected to the Conductor. This monitor is a proxy indicator for Airwall health but does not explicitly indicate that the Airwall is able to connect with its peers. For more details about Airwall to Airwall connectivity, see the HIP tunnel event monitor.
- Monitorable objects:
- Airwall Edge Services (Airwall Gateways, Relays, Servers, and Agents), Airwall Groups
- Event types
- Airwall online, Airwall offline, monitor triggered
- Templated values:
- monitored_object_id, monitored_object, monitored_object.*, initial_time, status
Airwall reboot
Detects when and why an Airwall Edge Service rebooted.
- Monitorable objects:
- Airwall Edge Services (Airwall Gateways, Relays, Servers, and Agents), Airwall Groups
- Event types:
- monitor triggered
- Templated values:
- monitored_object_id, monitored_object, monitored_object.*, initial_time, reason
Device discovered
Detects when a new device was discovered on an Airwall Gateway.
- Monitorable objects:
- Airwall Edge Services (Airwall Gateways, Relays, Servers, and Agents), Airwall Groups
- Event types:
- monitor triggered
- Templated values:
- monitored_object_id, monitored_object, monitored_object.*, initial_time, device_id, ip, mac
Health data
Monitors health data indicators (fields) such as free memory or CPU temperature. The monitor triggers an event if an expected threshold is exceeded or within a range. For example, you can choose to monitor when the number of active tunnels is >= 100. Not all indicators are supported by every Airwall Edge Service. To see if an indicator is supported for a given Airwall Edge Service, go to the page for the Airwall Edge Service, and check .
- Health data indicators:
- Memory free, CPU load, CPU temperature, active tunnels, relay sessions, resident memory for HIP, resident memory for the Conductor connection, average CPU frequency.
- Monitorable objects:
- Airwall Edge Services (Airwall Gateways, Relays, Servers, and Agents), Airwall Groups
- Event types:
- monitor triggered, monitor resumed
- Templated values:
- monitored_object_id, monitored_object, monitored_object.*, initial_time, value
HIP tunnel
Detects when a HIP tunnel between two Airwall Edge Services goes up or down. This monitor can be filtered by Airwall peer or the reason the tunnel went up or down.
- Tunnel up / down reasons:
- Peer opened tunnel, data transmitted, auto-connect, admin request, probe, peer closed tunnel, idle timeout, identity updated, shutdown, incomplete tunnel creation, relay revoked, HIP update packet timed out.
- Monitorable objects:
- Airwall Edge Services (Airwall Gateways, Relays, Servers, and Agents)
- Event types:
- tunnel up, tunnel down, monitor triggered
- Templated values:
- monitored_object_id, monitored_object, monitored_object.*, initial_time, status, remote_peer_id
HTTP GET
Makes HTTP GET requests to check the status of an HTTP server. The response code can be checked or a regex is used against the body of the response. Useful to ensure that the HTTP healthcheck is up.
- Monitorable objects:
- Airwall Edge Services (Airwall Gateways, Relays, Servers, and Agents)
- Event types:
- regex match failed, response code failed, monitor triggered, monitor resumed
- Templated values:
- monitored_object_id, monitored_object, monitored_object.*, initial_time, status, response_code, error
Intrusion prevention
Runs an intrusion prevention monitor on the Airwall Edge Service to monitor a selected port group and detect suspicious activity on the network. The monitor triggers events when the monitor matches traffic to the selected rule set. If the monitor detects multiple instances of suspicious activity in one reporting interval, they are batched together and sent as a single event to the Conductor. You can adjust the reporting frequency on the monitored Airwall Edge Service to increase or decrease the rate of reporting monitored events to the Conductor.
- Monitorable objects:
- Airwall Edge Services (Airwall Gateways, Relays, Servers, and Agents)
- Event types:
- info level event, warning level event, error level event, monitor triggered
- Templated values:
- monitored_object_id, monitored_object, monitored_object.*, initial_time
Link failover
Detects when an Airwall Edge Service has a link failover event.
- Monitorable objects:
- Airwall Edge Services (Airwall Gateways, Relays, Servers, and Agents), Airwall Groups
- Event types:
- monitor triggered
- Templated values:
- monitored_object_id, monitored_object, monitored_object.*, initial_time, old_link, new_link
Ping devices
Send a ping from Airwall Gateways to local devices. Detects when the ping fails or exceeds an indicated timeout.
- Monitorable objects:
- devices, device groups
- Event types:
- timed out, round-trip time exceeded, no route to IP, monitor triggered, monitor resumed
- Templated values:
- monitored_object_id, monitored_object, monitored_object.*, initial_time, status, rtt
Ping IP
Send a ping from an Airwall Gateway to the indicated IP address. Detects when the ping fails or exceeds an indicated timeout.
- Monitorable objects:
- Airwall Edge Services (Airwall Gateways, Relays, Servers, and Agents)
- Event types:
- timed out, round-trip time exceeded, no route to IP, monitor triggered, monitor resumed
- Templated values:
- monitored_object_id, monitored_object, monitored_object.*, initial_time, status, rtt
Traffic stats
Detects overlay or underlay traffic on an Airwall Edge Service – sent, received, or both. Monitor triggers based on thresholds set in the monitor.
- Monitorable objects:
- Airwall Edge Services (Airwall Gateways, Relays, Servers, and Agents), Airwall Groups
- Event types:
- monitor triggered, monitor resumed
- Templated values:
- monitored_object_id, monitored_object, monitored_object.*, initial_time, value