ConfigGuardian Alerts

ConfigGuardian publishes alerts to the Anava cloud when it detects configuration drift, heals configuration, or encounters conflicts. This page documents all alert types and recommended responses.

Alert Overview

Alert Code	Severity	When Triggered
CONFIG_DRIFT	Warning	Configuration drift detected
CONFIG_HEALED	Info	Configuration successfully restored
CONFIG_CONFLICT	Critical	Repeated drift detected (active tampering)

All alerts appear in:

• Anava Dashboard → Alerts tab
• Device Detail → Activity log
• Email Notifications (if configured)
• Webhook Integrations (if configured)

CONFIG_DRIFT

Severity: Warning

Description: ConfigGuardian detected that one or more MQTT configuration settings differ from the golden configuration.

When It Fires

• Every 30 seconds, ConfigGuardian compares actual vs expected configuration
• If any protected field differs, a CONFIG_DRIFT alert is published
• The alert includes all drifted fields and their severities

Example Payload

{
  "alertCode": "CONFIG_DRIFT",
  "severity": "warning",
  "device": {
    "serial": "ACCC12345678",
    "model": "AXIS P3245-V",
    "ip": "192.168.1.100"
  },
  "drift": {
    "fields": [
      {
        "name": "broker.host",
        "expected": "mqtt.anava.ai",
        "actual": "192.168.1.50",
        "severity": "CRITICAL"
      },
      {
        "name": "tls.validateServerCert",
        "expected": true,
        "actual": false,
        "severity": "CRITICAL"
      }
    ],
    "maxSeverity": "CRITICAL",
    "count": 2
  },
  "action": "HEALING",
  "timestamp": "2025-12-19T10:30:00Z"
}

Recommended Response

1. Review the drift details - Check which fields changed and to what values
2. Investigate the source - Who or what made the change?
3. Check camera access logs - Look for unauthorized web UI access
4. Verify healing - A CONFIG_HEALED alert should follow shortly

tip

A single CONFIG_DRIFT followed by CONFIG_HEALED is normal operation. ConfigGuardian is doing its job. Investigate if you see repeated drift or don't know why the change occurred.

CONFIG_HEALED

Severity: Info

Description: ConfigGuardian successfully restored the MQTT configuration to the golden state.

When It Fires

• After detecting drift with CRITICAL or HIGH severity
• After successfully writing the golden configuration via VAPIX
• After verifying the configuration matches expected values

Example Payload

{
  "alertCode": "CONFIG_HEALED",
  "severity": "info",
  "device": {
    "serial": "ACCC12345678",
    "model": "AXIS P3245-V",
    "ip": "192.168.1.100"
  },
  "heal": {
    "fieldsRestored": [
      "broker.host",
      "tls.validateServerCert"
    ],
    "count": 2,
    "durationMs": 187
  },
  "timestamp": "2025-12-19T10:30:02Z"
}

Recommended Response

1. Informational - No immediate action required
2. Review the cause - Why did drift occur in the first place?
3. Check for patterns - Repeated healing may indicate ongoing issues

CONFIG_CONFLICT

Severity: Critical

Description: ConfigGuardian detected repeated configuration drift within a 5-minute window. This indicates someone or something is actively fighting the guardian.

When It Fires

• 4 or more drift events detected within 5 minutes
• Indicates possible:
  • Malicious actor
  • Conflicting software (another ACAP modifying MQTT)
  • Firmware update process
  • Misconfigured automation

Example Payload

{
  "alertCode": "CONFIG_CONFLICT",
  "severity": "critical",
  "device": {
    "serial": "ACCC12345678",
    "model": "AXIS P3245-V",
    "ip": "192.168.1.100"
  },
  "conflict": {
    "driftCount": 4,
    "window": "5m",
    "healAttempts": 3,
    "lastDrift": {
      "field": "broker.host",
      "expected": "mqtt.anava.ai",
      "actual": "malicious.example.com"
    }
  },
  "recommendation": "Investigate immediately. Someone is actively modifying MQTT configuration.",
  "timestamp": "2025-12-19T10:35:00Z"
}

Recommended Response

Immediate Actions:

1. Investigate the camera - Check who has access to the web UI
2. Review access logs - Look for unauthorized logins
3. Check for other ACAPs - Another application may be modifying settings
4. Isolate if suspicious - Consider removing the camera from the network

Diagnostic Steps:

# Check recent web UI access (via VAPIX)
curl --digest -u root:password \
  "http://CAMERA_IP/axis-cgi/admin/accesslog.cgi?tail=50"

# List installed ACAPs
curl --digest -u root:password \
  "http://CAMERA_IP/axis-cgi/applications/list.cgi"

# Check ACAP modification times
ssh baton@CAMERA_IP "ls -la /usr/local/packages/"

Security Alert

A CONFIG_CONFLICT with a malicious broker address is a serious security incident. The attacker is trying to redirect your device traffic to their server. Isolate the camera and investigate immediately.

Alert Severity Colors

In the Anava dashboard, alerts are color-coded:

Severity	Color	Hex Code	Meaning
Critical	Red	#DC2626	Immediate action required
Warning	Orange	#EA580C	Review soon
Info	Blue	#2563EB	Informational

Alert Retention

Alert Type	Dashboard Retention	Export Retention
CONFIG_CONFLICT	90 days	Permanent
CONFIG_DRIFT	30 days	90 days
CONFIG_HEALED	30 days	90 days

Integrations

Webhook

Configure a webhook to receive ConfigGuardian alerts:

1. Navigate to Settings > Integrations > Webhooks
2. Add a new webhook endpoint
3. Select ConfigGuardian as the event source
4. Configure which alert types to receive

Email

Configure email notifications:

1. Navigate to Settings > Notifications
2. Enable ConfigGuardian Alerts
3. Choose severity threshold (Critical only, Warning+, or All)

SIEM Integration

Export alerts to your SIEM via:

• Syslog forwarding (CEF format)
• Webhook (JSON format)
• BigQuery export (for analysis)

Related Documentation

• How It Works - Detection and healing process
• Protected Settings - What settings are monitored
• Troubleshooting - Common issues and solutions

---

Last updated: December 2025