False positives

The forum for help and support with FreeNATS as well as any useful hints and tips
Post Reply
Posts: 92
Joined: Thu Sep 04, 2008 9:48 pm

False positives

Post by paullanders » Tue Sep 10, 2013 6:03 pm

Dave, what is the best way to handle false positives. For example, sometimes my FreeNATS server itself will lose its network connection. When it is restored, it fires of a volley of useless alerts stored up during the network outage. It did help somewhat to set the FreeNATS server itself as a master node for all other clients. I no longer get false "failure" alerts, but I still get "resolved" alerts.


Site Admin
Posts: 260
Joined: Fri May 30, 2008 9:09 pm
Location: UK

Re: False positives

Post by dave » Tue Sep 10, 2013 8:13 pm

Hi Paul,

Well if you don't get failure reports then I think you shouldn't be getting resolved reports either. The logic for the master node testing is such that, if it fails, then the other nodes under it aren't tested and therefore shouldn't open an alert to be closed.

It might be worth just looking at your master node configuration. If the master node has passed its last test and isn't tested again then the nodes will be tested, so the master node should always be set (and the relevant test) to the lowest time e.g. 0 so it's tested every single run (otherwise it can pass during the previous run and then be failed but not tested in a second run).

Also use of the server itself won't necessarily detect a connectivity problem, if I've got a statically configured interface that may well continue to respond locally to ICMP traffic even if the network link itself has problems. I tend to use something like the next accessible switch on the network as the master.

Let me have a dig around the actual code logic though when I get a chance to see if the above about master node is correct and setup some test cases.



Post Reply