KS-Soft. Network Management Solutions
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister    ProfileProfile    Log inLog in 

Reducing Number of alerts for event logs

 
Post new topic   Reply to topic    KS-Soft Forum Index -> Configuration, Maintenance, Troubleshooting
View previous topic :: View next topic  
Author Message
Sainyam



Joined: 12 Aug 2011
Posts: 37
PostPosted: Thu Jul 24, 2014 8:36 pm    Post subject: Reducing Number of alerts for event logs Reply with quote
hi support,

I am using HM for monitoring events logs.

I am using advanced mode for filtering the events

('%SimpleStatus%'=='DOWN') and ('%Reply%'<>'%LastReply%')

So that I wont get repeated same events logs, but it wont work correctly because of change in time or multiple different events occurs at same time repeated, Yesterday I got around 4k events log alerts emails from one server.

So my question is this possible for make it more advance and it check the event log for last 3-4 events instead only 1.
Back to top
View user's profile Send private message
KS-Soft



Joined: 03 Apr 2002
Posts: 12795
Location: USA
PostPosted: Fri Jul 25, 2014 4:18 am    Post subject: Reply with quote
Quote:
So that I wont get repeated same events logs, but it wont work correctly because of change in time or multiple different events occurs at same time repeated, Yesterday I got around 4k events log alerts emails from one server.

So my question is this possible for make it more advance and it check the event log for last 3-4 events instead only 1.

Not sure I understand correctly. You want to receive notification about every new event so you are using "Report about all events" test option? But you do not want to receive 5 e-maisl when 5 new events detected. You want to receive 1 e-mail with information about all 5 events?
Sorry, there is no such option.

If you set "Report about last bad/good event" option, you will receive e-mail with information regarding latest event but then you will need to check logs for other events...

Regards
Alex

Last edited by KS-Soft on Fri Jul 25, 2014 4:55 am; edited 1 time in total
Back to top
View user's profile Send private message Visit poster's website
KS-Soft Europe



Joined: 16 May 2006
Posts: 2832
PostPosted: Fri Jul 25, 2014 4:37 am    Post subject: Reply with quote
As I understand, you are using Advanced mode action to filter generated e-mails?
You may try the following expression:
('%SimpleStatus%'=='DOWN') AND ((%Recurrences%==1) OR ('%PrevNTEventID%'<>'%NTEventID%') OR ('%NTEventSource%'<>'%PrevNTEventSource%'))
It should filter similar consecutive events (same Event ID and Event Source)
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Sainyam



Joined: 12 Aug 2011
Posts: 37
PostPosted: Thu Aug 21, 2014 7:54 pm    Post subject: Reply with quote
Thanks for the reply,

@KS-Soft Europe
No it wont help,
I am still getting same events repeated it.

I think i should have explain more. I have set alerting only for error events.

Suppose
1. Error Event A occurs at 5:00 AM, I get alert about this.
2. Error Event B occurs at 5:10 AM, I get alert about this.
3. Error Event A occurs again at 5:20 AM, I should not get alert about this, since my team is already start working on it.

That why I want to check not only for previous or last reply but also last 5 replies before generating alerts.

Sometimes it some services create this type of scenario that it generate same set of events let say set 4 different events, which occurs continuously with in a fraction of 1 - 2 seconds, which create alerts 2 - 3k. and my inbox get full.
Back to top
View user's profile Send private message
KS-Soft Europe



Joined: 16 May 2006
Posts: 2832
PostPosted: Fri Aug 22, 2014 2:05 am    Post subject: Reply with quote
Quote:
That why I want to check not only for previous or last reply but also last 5 replies before generating alerts.

It's impossible to filter events the way you described.
You may get alerts for the first 5 or 10 evens and ignore rest "tones" of events using standard mode action settings:
Start when [1] consecutive "Bad" result occur
Repeat [5] time(s)

On the other hand, if you often get tons of "Bad" events and you don't want to skip sime alerts, you may write consecutive Bad events to the log file and send e-mail alert with attached log (including lot of consecutive events), or with events text in e-mail body.
How to setup alert profile:
"BAD" status actions
1. Check host again: Start when 1 consecutive Bad result occur; Repeat: until status changes
2. Record info into HM log: Start when 1 consecutive Bad result occur; Repeat: until status changes
Mark: Add record into specific log file (e.g. D:\templogs\eventlog.txt)
"GOOD" status actions
1. Send e-mail action: Start when 1 consecutive Bad result occur; Repeat: 1 time(s)
you may enable "Attach file" option and specify filename or use <<IncludeFile=D:\templogs\eventlog.txt>> in mail template to include log text into e-mail body:
2. Execute external program: Start when 2 consecutive Bad result occur; Repeat: 1 time(s)
Command line: cmd /c del D:\templogs\eventlog.txt

With these settings, HostMontor will write temporary log when test gets Bad status and always, after detected Bad events gats Ok status (Because of Check host again action). After first Ok status, HostMonitor will send you e-mail with all events, recorded into the temporary log. After second Ok status, temporary log will be removed by "Execute external program" action.
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    KS-Soft Forum Index -> Configuration, Maintenance, Troubleshooting All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
KS-Soft Forum Index