AlienVault® USM Anywhere™

Understanding the Status of the Cloudflare App

Role Availability Read-Only Analyst Manager

The Status page of your AlienApp for Cloudflare presents a number of diagnostic statistics and related feedback to enable you to assess the status of your Cloudflare app without having to delve into the sensor log.

The statistics reported on your app's Status page are:

  • Events per Second: Both total and estimated events per second (EPS) are displayed
  • Error Rates: The number of errors the app detects in its logic, displayed as Errors per Second
  • Important: The app will retry potentially recoverable errors three times before giving up. See Error Recovery for more information.

  • Status per Zone: Each zone's status indicates whether logs are available to be monitored, or whether enterprise log share is disabled for that zone
  • Bandwidth Consumption: How much bandwidth in (megabytes) the app is consuming per minute while downloading events from the Cloudflare Enterprise Log Pull API
  • Throttled Events: What percentage of events are being ignored during throttling mode
  • Orchestration Action Count: The number of orchestration actions invoked since the last time the sensor was restarted
  • Average Event Age: The average age of events coming from Cloudflare

Events Per Second

The Status page of your AlienApp for Cloudflare integration displays the minute-by-minute status and connectivity of your integration. In addition to the connection status, the Status page displays both your estimated and total EPS. Total EPS is a rolling live representation of the events the app has processed over the past five minutes, while the estimated EPS is a random sample of the events that have come through the Cloudflare API over the past hour. Both of these EPS statistics are further divided into total EPS and EPS per zone.

Note: The EPS statistics reported on the Status page are all unfiltered, meaning that they're the statistics for the app before any filters are applied.

Throttling Mode

In the event that your sensor is being overloaded by an unusual amount of EPS, your app may enter throttling mode in an effort to reduce strain on your sensor or lower the bandwidth it is consuming. Throttling mode is automatically enabled any time the app detects that more than 1000 EPS are being generated. When the actual EPS has remained under 1000 for a minute, the app will disengage throttling mode.

While your app is in throttling mode, it throttles the data coming to the sensor to limit the data being pulled. Doing this helps the app to maintain its threshold below 1000 EPS.

When your app is in sampling mode, the Status page indicates this and displays approximately what percentage of data is being skipped.

Cloudflare app UI indicates event throttling on Status page

Error Recovery

In the event that the job receives a potentially recoverable error, it will retry that job up to three times before giving up. If it cannot collect the data after the third retry, you will see the failure noted in the scheduler history and the next scheduled job will try to collect the data from the failed job in addition to its own data.

When this happens, you may see some jobs labeled "already running". This means that the job before it took over a minute to complete, so the next scheduled job was skipped because the previous job was still running. The job after a skipped job will then collect both its data and the data from the skipped job, proceeding in this cycle until the app is caught up.

Average Event Age

This metric represents the latency between an event's timestamp in Cloudflare and the moment it is processed by the app. The age of each zone's most recent event is taken and all are averaged to provide the average event age for your app.