Event Alarm

 Top  Previous  Next

Event Alarms monitor event logs for a specified event, or lack of that event, within a given time period in order to trigger one or more actions.

When a new event occurs, it is checked against the Filters assigned to the Event Alarm Monitor Item.  If it matches at least 1 Include Filter and no Exclude Filters, then the configured Action will be triggered. If the event does not match an Include Filter, or matches an Exclude Filter, the event will be skipped. This is true for both Service Agents and Virtual Agents.

Event_Alarm6

When using Event Alarms, there are two important issues:

1.On very busy systems that generate many event log records, the Event Alarm may not be able to keep  up in real-time. There is a finite amount of data that can be collected and stored in a single monitor      item interval. This means that there can be some lag time between when an event is logged to the       event log and when it is received by the ELM Server. When collecting events, the Event Alarm              bookmarks the last record read so that it knows where to start reading at its next Scheduled Interval.

On very busy systems, especially domain controllers with high levels of auditing enabled, it is possible        for the Event Alarm bookmark to roll off the event log before the records can be collected. If this happens, the bookmark is automatically reset at the most recent event. Any events that occurred between the old bookmark that rolled off the log and the new bookmark will not be collected.

To prevent this from happening, we recommend setting the size of your event logs to a large enough value so that they hold at least 24 hours of event data. A large event log size should prevent the loss of a bookmark and allow the Event Alarm to monitor all events.

2.When using multiple Event Alarms or Event Collectors on the same Agent, any one of these Monitor     Items can request that event logs be read. The request is initiated only if Scheduled Hours are "on" plus a Scheduled Interval has passed for the individual Monitor Item. Any request will cause the event logs to be read starting from the saved bookmarks, passing new events to all Event Alarms and Event Collectors for the Agent, and then updating the bookmarks. In the case of Event Collectors, they check only their Event Criteria before deciding to process a new event. They do not check their Scheduled Hours. In the case of Event Alarms, they check both their Event Criteria and their Scheduled Hours before deciding to process a new event.

3.If ELM is running on Windows Server 2003 or Windows XP, and it's deployed a Virtual Agent to a Windows Vista or above version of Windows, the Event Collector will not be able to be assigned to it. The ELM Console will disallow the assignment due to the lack of support in Windows Server 2003 and Windows XP for Vista and newer Event Logs.

Actions

Events not found (Warning) 5307 - An event matching the Event Filter Criteria was not found within the Scheduled time period.

Events found (Informational) 5306 - An event matching the Event Filter Criteria was found within the Scheduled time period.

Categories

Displays the Monitoring Categories to which the Monitor is assigned. Click to select or deselect Monitoring Categories. Right click to create or edit Monitoring Categories.

Test Monitor

Test any Monitor Item against any Agent capable of running the Item using the drop-down and Test button on this dialog box. Testing a Monitor Item prior to putting it into production validates that the monitor item is configured properly. To test a monitor item:

1.Select the Agent you wish to test against from the drop-down list.

2.Click the Start Test button.

If the test was successful, you will receive a pop-up indicating this and the option to see detailed results of the test. If the test failed, detailed results of the test will automatically open in Notepad.

Schedule

Displays the Scheduled Interval and Scheduled Hours settings which control the frequency for the Monitor Item.

Scheduled Interval tab

Specify the interval at which the monitoring, polling or action is to occur. Depending on the Monitor Item type, Items can be scheduled in interval increments of Seconds, Minutes, Hours and Days. The Scheduled Interval is relative to the top of the hour or top of the minute. For example, if a Scheduled Interval is configured for 10 minutes, the Monitor Item will execute at hh:10:00, hh:20:00, hh:30:00, hh:40:00, hh:50:00, h1:00:00, etc. If a Scheduled Interval is configured for 15 seconds, the Monitor Item will execute at hh:00:15, hh:00:30, hh:00:45, hh:01:00, hh:01:15, etc.

Scheduled Hours tab

Select the days and/or hours this item is active. By default, the schedule is set to ON for all hours and all days. Mouse clicks toggle squares between ON and OFF. Clicking on an individual square will toggle the active schedule for that hour. Clicking on an hour at the top of the grid, or on a day of the week at the left of the grid will toggle the corresponding column or row. Keyboard equivalents are the arrow keys and the space bar.

Properties Tab

This read-only tab displays the properties of the selected object and the values for those properties.