Hello all,
I recently stepped into the role of working with Solarwinds in my company. One of the first 10 million tasks is to really go through all of the alarming alerts see what's important and what we should not monitor.
Last week a coworker had sent me a screen shot of 4 component monitors that apparently have been alarming ever since they were turned on for the Active Directory application monitoring for our domain controllers. The events seem like they would be common SW issues to me - "Account failed to logon Event", "Attempted to logon using explicit credentials event", "system audit Policy was changed event", and "Changing Audit Policy event".
These while helpful to know, seem like they're better left to the SIEM product we use rather than SW. I am having trouble stopping these from alarming.
I first tried to use the baseline stat but I quickly found, our baseline stat number exceeded the maximum allow for the threshold fields. After seeing that it seems to be the case that I'll need to set these monitors up in a way that they are never "Down".
This is how I thought I could deal with them by making them always report as "Up" but they're still in a critical state with the red (!) icon. Thoughts?