From 280dc08fd612fe8ec14143d577f83fb81a9bb4c5 Mon Sep 17 00:00:00 2001
From: "Costa Tsaousis (ktsaou)" <costa@tsaousis.gr>
Date: Fri, 6 Jan 2017 21:59:28 +0200
Subject: [PATCH] add alarm for TCP/AttemptsFail spikes

---
 conf.d/health.d/tcp_resets.conf | 26 +++++++++++++++++++++++---
 configs.signatures              |  1 +
 2 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/conf.d/health.d/tcp_resets.conf b/conf.d/health.d/tcp_resets.conf
index a7cb325f..4655e68c 100644
--- a/conf.d/health.d/tcp_resets.conf
+++ b/conf.d/health.d/tcp_resets.conf
@@ -12,21 +12,41 @@
       to: sysadmin
 
 # -----------------------------------------------------------------------------
+# tcp resets this host sends
 
-   alarm: 1m_ipv4_tcp_resets
+   alarm: 1m_ipv4_tcp_resets_sent
       on: ipv4.tcphandshake
   lookup: average -1m at -10s unaligned absolute of OutRsts
    units: tcp resets/s
    every: 10s
     info: average TCP RESETS this host is sending, over the last minute
 
-   alarm: 10s_ipv4_tcp_resets
+   alarm: 10s_ipv4_tcp_resets_sent
       on: ipv4.tcphandshake
   lookup: average -10s unaligned absolute of OutRsts
    units: tcp resets/s
    every: 10s
-    warn: $this > ((($1m_ipv4_tcp_resets < 5)?(5):($1m_ipv4_tcp_resets)) * (($status >= $WARNING)  ? (1) : (4)))
+    warn: $this > ((($1m_ipv4_tcp_resets_sent < 5)?(5):($1m_ipv4_tcp_resets_sent)) * (($status >= $WARNING)  ? (1) : (4)))
    delay: up 0 down 60m multiplier 1.2 max 2h
     info: average TCP RESETS this host is sending, over the last 10 seconds (this can be an indication that a port scan is made, or that a service running on this host has crashed)
       to: silent
 
+# -----------------------------------------------------------------------------
+# tcp resets this host receives
+
+   alarm: 1m_ipv4_tcp_resets_received
+      on: ipv4.tcphandshake
+  lookup: average -1m at -10s unaligned absolute of AttemptFails
+   units: tcp resets/s
+   every: 10s
+    info: average TCP RESETS this host is sending, over the last minute
+
+   alarm: 10s_ipv4_tcp_resets_received
+      on: ipv4.tcphandshake
+  lookup: average -10s unaligned absolute of AttemptFails
+   units: tcp resets/s
+   every: 10s
+    warn: $this > ((($1m_ipv4_tcp_resets_received < 5)?(5):($1m_ipv4_tcp_resets_received)) * (($status >= $WARNING)  ? (1) : (4)))
+   delay: up 0 down 60m multiplier 1.2 max 2h
+    info: average TCP RESETS this host is sending, over the last 10 seconds (this can be an indication that a port scan is made, or that a service running on this host has crashed)
+      to: silent
diff --git a/configs.signatures b/configs.signatures
index aa922b0a..ed8ee6c8 100644
--- a/configs.signatures
+++ b/configs.signatures
@@ -278,6 +278,7 @@ declare -A configs_signatures=(
   ['c9b792755de59d842ba95f8c315d94c8']='health.d/swap.conf'
   ['ca026d7c779f0a7cb7787713c5be5c47']='charts.d.conf'
   ['ca08a9b18d38ae0a0f5081a7cdc96863']='health.d/swap.conf'
+  ['ca0eb92bdd3de67582ea6db37462895f']='health.d/tcp_resets.conf'
   ['ca249db7a0637d55abb938d969f9b486']='python.d/postfix.conf'
   ['cb178b15427274d7def5b14bc4c09441']='health.d/net.conf'
   ['cb60badf376d246ad8ec9d3f524db430']='health.d/disks.conf'
-- 
2.39.2