[IntelMQ-dev] Alerting on repeated connection failures in a bot
Mika Silander
mika.silander at csc.fi
Wed Mar 23 13:27:55 CET 2022
Hi all,
Calling out to the list again before trying to reinvent a wheel. We have a collector that tries to connect to the source of security events, but the source service is (temporarily) inaccessible. IntelMQ restarts the bot, an error message and the connection failure exception gets output to the log, and after a while, the bot gets restarted. For us it is acceptable there's a few failures in a configurable time frame, but if the situation prevails, we'd like to be alerted and if possible, prevent the bot from restarting.
There are bot configuration parameters to stop a bot in case the processing of events fails repeatedly (error_procedure=stop, error_max_retries=suitable_number as in https://intelmq.readthedocs.io/en/maintenance/user/configuration-management.html#id14), but after some experimenting it appears they are not applicable here since we never reach the stage of processing events.
Any ideas how to address this issue? We'd prefer not to touch the bot's source code.
Br, Mika
P.S: Setup is intelmq v3.0.2.
More information about the IntelMQ-dev
mailing list