Alarm Codes in Hyperion 5.x

Introduction

Hyperion 5.0 provides a comprehensive alarm system to monitor, track, and respond to critical events in your environment. This reference guide documents all alarm types, their severity levels, and recommended actions. The alarm framework is designed to be reliable, available at all times, and capable of graceful recovery from failures with no loss of data.

Alarm System Overview

The Hyperion alarm system provides the following capabilities:

• Active and Cleared Alarms Dashboard: View and manage all alarms from a centralized interface
• Detailed Alarm Information: Review comprehensive details about each alarm event
• Tiered Severity Levels: Alarms are categorized by severity (CRITICAL, MAJOR, WARNING, INFORMATIONAL)
• Alarm Aggregation: Multiple alarms of the same type are aggregated to reduce notification fatigue
• Client Notifications: Automated notifications are sent to configured clients
• Alarm Pruning: Automatic cleanup of resolved alarms based on retention policies
• Configurable Workflows: Customize alarm handling behavior to match your operational requirements
• Secure Communications: All notification communications are encrypted and secure

Functional Requirements

The Hyperion alarm system meets the following functional requirements:

FR1 - Hyperion provides a view/dashboard to display active and cleared alarms

FR2 - Hyperion provides a view to review the alarm information

FR3 - Hyperion raises alarms with defined tiers and properties

FR4 - Hyperion aggregates alarms of the same type

FR5 - Hyperion sends notifications to clients

FR6 - Hyperion supports alarm pruning workflow

FR7 - Hyperion allows users to configure alarm workflow

FR8 - Hyperion modifies alarm properties as needed

Non-Functional Requirements

NFR1 - Hyperion alarms are reliable and available at all times

NFR2 - Hyperion alarm framework recovers gracefully from any failures with no loss of data

NFR3 - All notification communications are secure

Alarm Severity Levels

Alarms in Hyperion 5.0 are classified into four severity levels:

• CRITICAL: Requires immediate attention. Indicates a severe issue that impacts data protection or system functionality.
• MAJOR: Significant issue that should be addressed promptly but may not require immediate action.
• WARNING: Potential issue or configuration problem that should be reviewed.
• INFORMATIONAL: Notification of successful operations or status changes.

Ransomware Defender Alarms

RSW0001 - RANSOMWARE_DEFENDER_EVENT

Description: Ransomware signal received

Severity: CRITICAL

Details: This alarm is raised for each security event raised for a user. This indicates that the ransomware detection system has identified potentially malicious activity.

Help on this Alarm: This alarm is raised for each security event raised for a user. This should be reviewed in the active events tab of the ransomware defender icon to determine the shares affected or lock-out status for this event.

Actions:

• Review the security event in the Ransomware Defender active events tab
• Determine which shares are affected by this security event
• Check the lock-out status for this event
• Available response actions: lockout, recover, and initiate self-recovery options

RSW0003 - RANSOMWARE_USER_LOCK_FAILED

Description: Failed to lock user access after ransomware events received

Severity: CRITICAL

Details: A lock of a user account was not successful, indicating that automatic protection measures could not be applied.

Help on this Alarm: A lock of a user account was not successful. Consult the log for the action menu to see which shares or clusters the lockout job failed. This indicates these shares are not locked out for this user and manual lockout of the share for the affected user should be done. The lockout is not retried automatically.

Actions:

• Open the action menu log to identify which shares or clusters failed the lockout operation
• Manually lock out the affected user from the identified shares
• Verify that the manual lockout was successful
• If needed, retry the lockout from the actions menu

Impact: User access to potentially compromised shares remains active, posing a data security risk.

RSW0008 - RANSOMWARE_ENTER_MONITOR_MODE

Description: Ransomware: Entered monitor-only mode

Severity: MAJOR

Details: The system has entered monitor-only mode where detection is active but no automatic lockout will occur.

Help on this Alarm: When the Eyeglass Ransomware settings have monitor mode enabled, no lockout will occur. This alarm is a reminder that no data protection is enabled with monitor mode.

Actions:

• Verify that monitor mode is intentionally enabled
• Review security events in the dashboard
• Consider enabling active protection mode if monitoring period is complete
• Document the reason for operating in monitor-only mode

Impact: While ransomware activity is detected and logged, no automatic protection actions are taken.

RSW0009 - RANSOMWARE_LEAVE_MONITOR_MODE

Description: Ransomware: Left monitor-only mode

Severity: MAJOR

Details: The system has exited monitor-only mode and active data protection is now enabled.

Help on this Alarm: When the Eyeglass Ransomware Defender setting disables monitor mode, this alarm indicates that data protection monitoring is now active.

Actions:

• Verify that active protection mode is properly configured
• Review lockout policies and thresholds
• Test alert notifications to ensure they are working
• Document the transition from monitor to active mode

Impact: System is now providing active data protection with automatic lockout capabilities.

RSW0011 - RSW_RESTORE_ACCESS_SUCCESS

Description: User access restored

Severity: INFORMATIONAL

Details: User permissions have been successfully restored after a security event.

Help on this Alarm: The user's permissions on the security event were restored for all shares with a lockout. Check the security event history to verify the list of shares.

Actions:

• Review the security event history to confirm which shares were restored
• Verify that the user can access the restored shares
• Document the restoration in incident records
• Monitor user activity for any recurring suspicious behavior

RSW0012 - RSW_RESTORE_ACCESS_FAILED

Description: Failed to restore user access

Severity: CRITICAL

Details: The system was unable to restore user permissions for all affected shares.

Help on this Alarm: The user's permissions on the security event were not all restored. Open the security event history to review the list of shares that were not successfully restored and manually edit the share permissions to remove the deny read permission for the user named in the security event.

Actions:

• Open the security event history
• Identify shares where restoration failed
• Manually edit share permissions for each failed share
• Remove the "deny read" permission for the affected user
• Verify that the user can now access the shares
• Document the manual restoration steps taken

Impact: User cannot access one or more shares that should have been restored.

RSW0014 - RSW_SNAPSHOT_FAILED

Description: Failed to create snapshots

Severity: CRITICAL

Details: The system was unable to create protection snapshots for the security event.

Help on this Alarm: See the explanation on alarm SCA0075 for details and steps to attempt another snapshot creation or debug the issue.

Actions:

• Review the error logs to determine the cause of the snapshot failure
• Verify that sufficient storage space is available
• Check cluster connectivity and permissions
• Verify that the Eyeglass role has appropriate snapshot creation permissions
• Attempt to create a snapshot manually to test functionality
• If issue persists, open a support case

Impact: No point-in-time recovery snapshot is available for the security event.

RSW0015 - RSW_SNAPSHOT_DELETE_WARNING

Description: Not all snapshots were deleted

Severity: MAJOR

Details: One or more snapshots could not be deleted as requested.

Help on this Alarm: This indicates a security event snapshot was attempted to be deleted from the GUI but failed. Snapshots are applied on a security event and have an expiry of 48 hours. If you want to delete the snapshot from the Ransomware Defender security event action menu sooner, it fails with this error code. Check Eyeglass role permissions are set correctly.

Actions:

• Verify Eyeglass role permissions include snapshot deletion rights
• Check if snapshots are locked or have dependencies
• Wait for the 48-hour automatic expiry if manual deletion is not urgent
• Review cluster audit logs for permission errors
• If permissions are correct, try deleting again after a few minutes

Impact: Storage space is consumed by snapshots that should have been deleted.

RSW0016 - RSW_SNAPSHOT_DELETE_FAILED

Description: Failed to delete snapshots

Severity: MAJOR

Details: The system was unable to delete the requested snapshots.

Help on this Alarm: See the explanation for SCA0077.

Actions:

• Verify that the Eyeglass service account has delete permissions
• Check if snapshots are locked or in use
• Review error logs for specific failure reasons
• Attempt manual deletion through the cluster management interface
• If issue persists, contact support for assistance

Impact: Storage space continues to be consumed by unneeded snapshots.

RSW0020 - BACKUP_INGESTION_FAILURE

Description: Turboaudit backup ingestion failed

Severity: WARNING

Details: Historical event ingestion did not process all files successfully.

Help on this Alarm: This error means the historical event ingestion did not process all files. Please open a support case for instructions to resolve this.

Actions:

• Review ingestion logs to identify which files failed to process
• Verify network connectivity to the backup source
• Check available disk space on the Eyeglass appliance
• Open a support case with Superna for assistance
• Provide error logs and ingestion statistics to support

Impact: Some historical audit data may not be available for analysis.

RSW0024 - SECURITY_GUARD_FAILURE

Description: Ransomware: Security Guard Failure

Severity: MAJOR

Details: The security guard validation test has failed, indicating that ransomware defenses may not be functioning correctly.

Help on this Alarm: The security guard, if configured, runs on a schedule and failure should be checked from the logs on the Ransomware defender icon, Security guard tab and open the last log to check which step failed. This feature tests your defenses are active and functioning as expected. This should be corrected and using service manager icon to verify the ECA is reachable and healthy. Check the cluster igls-honey pot share exists. Check other alarms in the alarms icon to verify the cluster(s) managed by the security guard feature can be reached.

Note: SMB open port is required from Eyeglass to the PowerScale clusters under management.

Actions:

• Navigate to Ransomware Defender icon → Security Guard tab
• Open the last log to identify which validation step failed
• Use the Service Manager icon to verify ECA is reachable and healthy
• Verify the cluster "igls-honey pot" share exists
• Check the Alarms icon for related cluster connectivity issues
• Verify SMB port connectivity from Eyeglass to managed clusters
• Re-run the security guard test after resolving issues

Impact: Cannot verify that ransomware defenses are functioning correctly.

RSW0026 - TURBOAUDIT_EVENTRATE_BELOW_THRESHOLD_WARNING

Description: Event rate for all TurboAudit nodes over the last N minute(s) is below threshold

Severity: WARNING

Details: The rate of audit events being ingested has fallen below expected levels.

Help on this Alarm: Check the NFS mount for audit data ingestion.

Actions:

• Verify NFS mount for TurboAudit data is accessible
• Check network connectivity between Eyeglass and audit sources
• Review TurboAudit service status on all nodes
• Verify that audit event generation is enabled on clusters
• Check for any storage or performance issues affecting event collection

Impact: Audit data may be incomplete, affecting ransomware detection accuracy.

RSW0028 - SECURITY_GUARD_SUCCESS

Description: Ransomware: Security Guard Success

Severity: INFORMATIONAL

Details: The security guard validation test has completed successfully.

Help on this Alarm: The security guard, if configured, runs on a schedule and simulates a Ransomware attack on a daily basis to validate that all components, including alerting and lockout of user sessions are functioning. This alarm confirms that the security guard job was completed successfully and your defenses are active and functioning as expected.

Actions:

• Review the security guard test report for detailed results
• Document the successful validation in compliance records
• Verify that all components tested as expected
• No further action required

Impact: Positive confirmation that ransomware defenses are operational.

RSW0029 - CYBER_RECOVERY_MANAGER_JOB_ERROR

Description: There was an error recovering files for Cyber Recovery Manager

Severity: WARNING

Details: A file recovery operation in Cyber Recovery Manager encountered errors.

Help on this Alarm: Check Cyber Recovery Job details in the Job Window to see which files failed and why.

Actions:

• Open the Jobs window
• Locate the Cyber Recovery Manager job that failed
• Review job details to identify which files failed
• Check error messages for specific failure reasons
• Verify file permissions and paths
• Retry recovery for failed files if appropriate
• If issue persists, open a support case

Impact: Some files were not recovered as expected.

License Management Alarms

LM0001 - LM_LICENSE_TO_EXPIRE

Description: License(s) to expire

Severity: WARNING

Details: One or more software licenses are approaching expiration.

Help on this Alarm: This means the support license will expire soon, and a renewal order is required.

Actions:

• Review the alarm details to identify which licenses are expiring
• Note the expiration date
• Contact your Superna account manager or reseller to renew licenses
• Submit renewal order with sufficient lead time
• Apply new license keys before expiration
• Verify license status after renewal

Impact: Support access and software updates will be unavailable after expiration.

LM0002 - LM_LICENSE_HAS_EXPIRED

Description: License(s) expired

Severity: MAJOR

Details: One or more software licenses have expired.

Help on this Alarm: This alarm indicates that maintenance has expired, and access to support and software will not be possible until the new key is replaced.

Actions:

• Immediately contact your Superna account manager or reseller
• Request emergency license renewal if needed
• Process renewal order as quickly as possible
• Apply new license keys immediately upon receipt
• Verify all features are functioning after license renewal
• Document license renewal in compliance records

Impact: No access to support or software updates until license is renewed.

System Setup and Inventory Alarms

SETUP0001 - SETUP_REDISCOVER_REQUEST

Description: Database is in a corrupt, unrepairable state. Please schedule a time to execute a rediscover operation (igls appliance rediscover)

Severity: CRITICAL

Details: The Eyeglass database has become corrupted and requires a full rediscovery operation.

Help on this Alarm: The alarm is issued during inventory updates in the database if this process fails. Eyeglass will attempt to correct any failure in the process, but at times, this is impossible; for example, if Eyeglass is shut down incorrectly or hard powered off - both operations can result in database content becoming corrupt. The database can be rebuilt with the CLI command igls appliance rediscover. This command will delete the database and rebuild from API calls to the cluster. This operation is safe to run to rebuild the database. If this error occurs more than once, open a support case with the error code and upload support logs.

Impact: Blocking saves to the database impacts failover readiness validations from completing and will not allow an accurate view of DR readiness until addressed.

Actions:

• Schedule a maintenance window for the rediscover operation
• Notify stakeholders of the planned maintenance
• Back up current configuration if possible
• Run the CLI command: igls appliance rediscover
• Monitor the rediscovery process to completion
• Verify that inventory is correctly populated after rediscovery
• If this occurs repeatedly, open a support case
• Review shutdown procedures to prevent hard power-offs

Recovery Time: The rediscovery operation may take significant time depending on environment size.

SETUP0002 - SETUP_INVENTORY_DUPLICATES_CRITICAL

Description: Duplicate inventory found (please see alarm info); inventory not saved to the database as requested in file system.xml (tag manageinventoryduplicates). Please correct this manually on your cluster or set the tag to 'DELETE' to allow the system to ignore those entries

Severity: CRITICAL

Details: Duplicate cluster objects have been detected, blocking database saves.

Help on this Alarm: This alarm indicates duplicate cluster object detected which blocks saving to the database. This is normally an issue with cluster configuration that should be fixed on the cluster. Open a support case to identify the corrupt cluster configuration data. A workaround option that allows duplicates to be removed before saving is available in the system.xml file. Consult with support to apply this setting.

Impact: Blocking saves to the database impacts failover readiness validations from completing and will not allow an accurate view of DR readiness until addressed.

Actions:

• Review alarm details to identify the duplicate objects
• Open a support case with Superna
• Provide inventory export and error logs to support
• Work with support to identify the root cause on the cluster
• Either:
  • Fix the duplicate objects on the cluster (preferred), or
  • Apply the system.xml workaround with support guidance
• Verify that inventory saves successfully after resolution
• Re-run failover readiness validations

Impact: Cannot save inventory changes, affecting DR readiness visibility.

SETUP0003 - SETUP_INVENTORY_DUPLICATES_WARNING

Description: Duplicate inventory found (please see alarm info); duplicate inventory has been ignored, and data is saved to the database. Please correct this manually on your cluster

Severity: WARNING

Details: Duplicate inventory data was detected and automatically removed before saving.

Help on this Alarm: This alarm indicates duplicated data was detected by removing it before saving it to the database. This means the duplicate skip flag is set in system.xml to continue to save to the database after removing duplicate inventory data. Duplicate inventory indicates an issue with the cluster configuration data that should be fixed on the cluster. Duplicates can be synciq policy objects, share permissions, and other configuration data; this should be fixed on the cluster.

Impact: No functional impact to Eyeglass functions; this alarm indicates an issue that should be corrected on the cluster to maintain data integrity.

Actions:

• Review alarm details to identify the duplicate objects
• Log into the affected cluster
• Identify and remove the duplicate configuration items
• Common duplicate items include:
  • SyncIQ policy objects
  • Share permissions
  • Export rules
  • Other cluster configuration data
• Verify that duplicates are resolved
• Monitor for recurrence of the alarm

Impact: Minimal functional impact, but indicates configuration issues that should be addressed.

Best Practices for Alarm Management

Monitoring and Response

• Regular Review: Check the alarms dashboard daily to identify new issues
• Prioritize by Severity: Address CRITICAL alarms immediately, followed by MAJOR and WARNING
• Root Cause Analysis: Don't just clear alarms; investigate and resolve underlying issues
• Documentation: Maintain records of alarm occurrences and resolutions
• Trend Analysis: Look for patterns in recurring alarms to identify systemic issues

Notification Configuration

• Configure Multiple Channels: Set up email, SNMP, and webhook notifications as appropriate
• Set Appropriate Recipients: Ensure critical alarms reach on-call personnel
• Avoid Notification Fatigue: Use alarm aggregation and threshold tuning to reduce noise
• Test Notifications: Regularly verify that notification channels are working
• Escalation Procedures: Define escalation paths for unacknowledged critical alarms

Alarm Retention and Pruning

• Set Retention Policies: Configure appropriate retention periods based on compliance requirements
• Regular Cleanup: Allow automatic pruning to prevent database bloat
• Archive Important Events: Export and archive critical alarm data for long-term analysis
• Balance Storage and History: Maintain enough history for trend analysis without overwhelming storage

Integration with ITSM Tools

Consider integrating Hyperion alarms with your IT Service Management tools:

• ServiceNow
• PagerDuty
• Splunk
• Other SIEM/ITSM platforms

Use the Alarms API (v1) to retrieve alarm data programmatically for integration purposes.

See Also

For additional information on alarm management and system monitoring:

• API Guide: Use the Alarms API v1 endpoints to programmatically manage alarms
• CLI Guide: Command-line tools for alarm querying and management
• Operations Guide: Procedures for responding to common alarm scenarios
• Troubleshooting Guide: Detailed troubleshooting steps for persistent alarm conditions

Support

If you encounter alarms not covered in this guide or need assistance resolving critical issues:

1. Gather relevant logs and alarm details
2. Document steps already taken to resolve the issue
3. Open a support case through the Superna customer portal
4. For critical production issues, contact Superna emergency support

Your support case should include:

• Alarm code and description
• Timestamp of alarm occurrence
• Relevant log files
• Configuration details
• Steps already attempted

Superna support is committed to helping you maintain a secure and reliable data protection environment.