Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials
Store

Monitoring and Alerting on Event ID - Every occurrence of Event ID without missed or duplicate alerts

Probably making this more difficult than it is and am not real confident in what I think may be the solution.

I have a Windows Event Log Monitor setup to monitor a specific event ID on a server. The monitor itself seems to work fine, from the Application Component Details page I can see every occurrence of the event listed in the Event Log Message Details pane. The component status is set to a Warning state "Based on Event Count" >= 1 for a single poll and the polling frequency is 300 seconds.

The issue is the alerting. I am not sure what I should use for evaluation frequency and reset condition to ensure I trigger an alert for every instance of the event.

If I use the standard Evaluation Frequency of Alert = to every 1 minute and the reset condition = "trigger condition no longer true" then I miss alerts if when multiple events occur because it is always triggered.

If I use the No Reset Condition and trigger every 1 minute I receive duplicates I assume because the alert freq is 1 min and the polling of the monitor is 3 minutes.

This wouldn't be a big deal if this was an event that only occurred a couple of times per hour or day but it could occur multiple times per polling frequency.

It "seems" to work if I set the alert evaluation frequency to 4 or 5 minutes but I am not sure that is the best solution to ensure nothing is missed or duplicated.
Thanks

Find more posts tagged with

Accepted answers

buceyes

After another days worth of testing it looks like the best settings are:

For the Windows Event Log Component Monitor:

Poll every 300 seconds

Number of past polling intervals to search for events: 1 (Not 1.5 as set by default as 1.5 seemed to trigger duplicates depending on the timing)

For the Alert:

Evaluation Frequency of Alert: Every 6 minutes (prevents triggering twice before the next poll of the monitor)

Reset Condition: No Reset - Trigger each time condition is met

Only downside but one that I can work around for this application is that if multiple events are found it lumps them all together in the Event Log Message Details showing them as "Event 1 of ##.. Event 2 of ##" etc.. I am triggering a PowerShell script from the alert so I was able to loop through the events using regex to pull the details I needed from each event log.

Will update if I find anything better for anyone who runs into this themselves in the future.

All comments

buceyes

After another days worth of testing it looks like the best settings are:

For the Windows Event Log Component Monitor:

Poll every 300 seconds

Number of past polling intervals to search for events: 1 (Not 1.5 as set by default as 1.5 seemed to trigger duplicates depending on the timing)

For the Alert:

Evaluation Frequency of Alert: Every 6 minutes (prevents triggering twice before the next poll of the monitor)

Reset Condition: No Reset - Trigger each time condition is met

Will update if I find anything better for anyone who runs into this themselves in the future.

beeler4304

Have you been able to split up the events into separate alerts through Solarwinds? When I get my emails, I see several of the events and then at the bottom of the email, it says "...another ### events skipped." Have you found a way to show ALL the events instead of just some?

mesverrum

Beside just including a link to the component details page in my alert message I can't think of anything easy that would give you messages for each individual event within SAM.

I always consider event log monitoring to be a "nice to have" kind of feature in SAM, it does what it does and can give you a general idea about the event log, but if you need granular event log monitoring then there are other tools that are more focused on that specific arena, such as LEM or using the Event log forwarder with Kiwi Syslog. Those tools are designed to focus on each individual instance of an event rather than the aggregate approach that SAM takes.

FREE Event Log Forwarder for Windows | SolarWinds

Log & Event Manager - Log Management Software | SolarWinds

Also, word on the street is that Solarwinds is looking in to developing a more logging focused tool to use within the Orion Suite, but it is very early in that process.

-Marc Netterfield

Loop1 Systems: SolarWinds Training and Professional Services

LinkedIN: Loop1 Systems
Facebook: Loop1 Systems
Twitter: @Loop1Systems

monitoringlife

I have been making a template with all the event log components I want, then crafting an alert for the application monitor status. In the alert test I include "${N=SwisEntity;M=ApplicationAlert.ComponentsWithProblemsFormatted}" to detail out all the components that are not healthy. Seems to cover most use cases for my users. Prevents more than one alert, and you don't have to craft an alert per component .