cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Event Alert Question

Jump to solution

I setup a monitor to check my Solarwinds APP server for Event ID 10028. This is when a node cannot access the Solarwinds App server.  What I am trying to figure out is how to configure the alert to let me know what is in the event message.  Can I do that at all?  So something that will let me know what was in the message. Ideally if I can figure this out I have another event monitor monitoring account lockouts that I would like to alert on as well.  Thanks!

pastedImage_0.png

Tags (1)
0 Kudos
1 Solution

martian monster​ If your logs are there, for that Windows Server, you should be able to see them in the "Orion.APM.WindowsEvent" table with this SWQL query.

SELECT
EventCode
,TOLOCAL(TimeGeneratedUtc) AS TimeStamp
,ComputerName
,SourceName
,User
,Message
FROM Orion.APM.WindowsEvent
WHERE EventCode = 10028

View solution in original post

11 Replies

Use properties and variables in SAM application monitors and component monitors in alerts

Have you tried these:

${ComponentMessage}

${WindowsEventMessages}

${StatusOrError

Description}

I will give those a try and see what comes up.  Thank you.

0 Kudos

Yeah that did not pull anything into the alert.   

pastedImage_1.png

Here is the event log in Orion -

pastedImage_2.png

I wonder if some SWSQL magic would work. 

0 Kudos

martian monster​ If your logs are there, for that Windows Server, you should be able to see them in the "Orion.APM.WindowsEvent" table with this SWQL query.

SELECT
EventCode
,TOLOCAL(TimeGeneratedUtc) AS TimeStamp
,ComputerName
,SourceName
,User
,Message
FROM Orion.APM.WindowsEvent
WHERE EventCode = 10028

View solution in original post

That worked!! I have just dabbled in SWQL a little bit but more and more I am thinking I need to try to work on SWQL a bit more.  If I put this query in the alert when it fires it will add that information to the alert and I can edit what I would like in the alert?

0 Kudos

martian monster​ I think you would probably be better off, if possible, to simply add that specific event to its own component monitor. That should allow you to pull all the data via the variables.

pastedImage_0.png

pastedImage_4.png

I THINK that should dump all the info you need into a component which you can then reference within the alert.

Is this how you already have it setup, or are you monitoring it a different way?

0 Kudos

I have the monitor setup like above - one component to one event ID to make things simple. 

And I cannot thank you enough for this.  I have a dashboard setup to report on DC 'things' and added a widget to it and put that SWQL query on it and made it searchable. 

Thank You wluther​ you made my Friday afternoon and everyone else here that was using the old hunt and peck game for account lockouts!! 

0 Kudos

Could you include a screen shot of your alert configuration for that specific event id in this post?  The summary page would be great!

0 Kudos

martian monster​ Are you actually pulling, or sending, those events to Orion, or are you just having Orion check them and return and yes/no?

0 Kudos

wluther     I am not sending the events to Orion. I have the monitor checking the event log and then returning a yes/no to Orion.  Judging by your statement because I am not sending the actual events to Orion I probably can't add them to an alert? This is my first time working with the Event Log monitoring/alerting so I am learning a bit as I go here.  Thanks

0 Kudos

Well, I'm pretty sure you have the logs, as long as that last screenshot was from a SAM app/component monitor page. At least I think you should.

0 Kudos