Application Alerts: Critical alerts are being sent with component statuses of (Up)

We are currently receiving a number of false positive alerts associated to application monitoring which we can't seem to isolate the root cause. The alerts are configured to send out a notification if a component status is down. However, we are also receiving alerts when the component status are up as well. In fact, on the notification email, we've added the following fields in the email body and they are listed as such:

- Components with problems: (empty)

- All monitored components: component1 (Up), component2 (Up)

These components can be port monitors and/or windows services statuses.

Initially, we suspected that this may be due to the polling interval and alert evaluation and escalation intervals; in which, the polling interval is set for every 3 minutes while the alert evaluation is done every 1 minute and the escalation is done every 10 minutes. We ended up changing the escalation interval to 9 minutes to line it up with the polling interval. However, we are still receiving these false positive alerts.

Any suggestions?

Find more posts tagged with

false_positive

false_alerts

false_alarmsalerts

false_alarm

Accepted answers

All comments

aLTeReGo

This is likely caused by the polling interval being reduced to 3 minutes. Depending on the number of component monitors within the template, their type, and other factors such as network latency, bandwidth, and the resource load on the both the SAM server and the remotely monitored host this may be too frequent to reliably test. I'd recommend you try decreasing the polling interval to at least 5 minutes and see if this resolves the issue. If it does then consider moving the most critical components out into their own template so they're no impacted by the polling of less critical items such as performance counters and such. The polling interval is for the template as a whole, so any one item in the template could be holding up, or essentially causing a timeout to occur. Changing the polling interval to 5-8 minutes should give you a better idea if the frequency of polling is causing these false alerts.