Page 1 of 1
False positives
Posted: Tue Sep 10, 2013 6:03 pm
by paullanders
Dave, what is the best way to handle false positives. For example, sometimes my FreeNATS server itself will lose its network connection. When it is restored, it fires of a volley of useless alerts stored up during the network outage. It did help somewhat to set the FreeNATS server itself as a master node for all other clients. I no longer get false "failure" alerts, but I still get "resolved" alerts.
Paul
Re: False positives
Posted: Tue Sep 10, 2013 8:13 pm
by dave
Hi Paul,
Well if you don't get failure reports then I think you shouldn't be getting resolved reports either. The logic for the master node testing is such that, if it fails, then the other nodes under it aren't tested and therefore shouldn't open an alert to be closed.
It might be worth just looking at your master node configuration. If the master node has passed its last test and isn't tested again then the nodes will be tested, so the master node should always be set (and the relevant test) to the lowest time e.g. 0 so it's tested every single run (otherwise it can pass during the previous run and then be failed but not tested in a second run).
Also use of the server itself won't necessarily detect a connectivity problem, if I've got a statically configured interface that may well continue to respond locally to ICMP traffic even if the network link itself has problems. I tend to use something like the next accessible switch on the network as the master.
Let me have a dig around the actual code logic though when I get a chance to see if the above about master node is correct and setup some test cases.
Regards,
Dave.