10 Replies Latest reply on Apr 17, 2017 10:06 AM by cmarsh@wtamu.edu

    TriGeo Alert - Disk nearly full

    rcsteve

      I started receiving these LEM email alerts and I am not sure if it is saying my LEM c: drive and what I need to do.  This is the message:

       

      disk c: nearly full at 2016-05-11 10:07:00.0

       

      There is no other information in the email to tell me what server it is so I am assuming it is the LEM server.

      Any assistance would be appreciated.

      Thanks

        • Re: TriGeo Alert - Disk nearly full
          prawij

          The LEM appliance is running Debian so it doesn't have a C: drive, I'm guessing this is telling you one of the nodes you have a LEM agent deployed on is approaching 100% utlization on its C:\ drive.

           

          When you log in to the LEM GUI, go to "Monitor" and then choose Rule Activity on the left side menu, this should show you what is triggered the email alert.

          • Re: TriGeo Alert - Disk nearly full
            curtisi

            You may also want to modify the rule to use a template with more information slots so you can get things like the "Detection IP" in the e-mail and have it tell you which machine is running low on disk space.

             

            Also, that Windows event is based on percentages, not free bytes.  It fires when a disk has less than 5% free.  If a server has a 50GB drive, that may be a real concern.  If it's a system with 64TB of disk, 5% is still a lot.

             

            I have this video on configuring e-mails in rules that may help.

             

              • Re: TriGeo Alert - Disk nearly full
                cmarsh@wtamu.edu

                Hello! I see that this is an old post but seems to be the only hit when I search this issue.

                 

                I am new to LEM, and after enabling some of the built-in rules I am now receiving this alert as well. I have included the event details below in case that is helpful. This alert doesn't show me what node is having the issue, all of the details seem to be for the LEM appliance itself. Any suggestions on additional parameters I can add to find out which node really triggered the alert would be much appreciated!

                 

                 

                Event FieldInformation
                Event NameInternalRuleFired
                EventInfoThe 'Windows Disk Nearly Full' rule fired
                InsertionIPswlem (this is my LEM appliance)
                Managerswlem (this is my LEM appliance)
                DetectionIP192.168.1.250 (this is my LEM appliance)
                InsertionTime11:19:40 Wed Apr 05 2017
                DetectionTime11:19:40 Wed Apr 05 2017
                Severity2
                ToolAliasTriGeo
                InferenceRuleWindows Disk Nearly Full
                ProviderSID
                ExtraneousInfoEmail [admin]
              • Re: TriGeo Alert - Disk nearly full
                curtisi

                It appears that you're sending an e-mail off a correlation of a correlation: basically, a rule is triggering another rule that sends an e-mail.  You need to add the "Send E-mail" to the disk full rule, and populate the fields accordingly.

                • Re: TriGeo Alert - Disk nearly full
                  curtisi

                  That can't be it, unfortunately.  The e-mail you pasted has many fields, the e-mail that rule sends has two.

                   

                  Can you do a search in nDepth for "InternalRuleFired.ExtraneousInfo = *email*" (no quotes) for the last week and see what that returns?

                    • Re: TriGeo Alert - Disk nearly full
                      cmarsh@wtamu.edu

                      Thanks for the info curtisi! That gave me a good chance to play with the nDepth utility. Running that query you posted gave me about 6,000 results, but only 3 of those "seem" to be relevant (as far as I can tell). I have included a screenshot of the "Refine Fields" options showing the types of events that showed up. I exported the list of "Windows Disk Nearly Full" events and have included the results of it below. Do you think I should be looking at one of the other InferenceRules in this list? Thanks again for taking the time to look and reply!

                       

                       

                       

                                 

                      Event NameEventInfoInsertionIPManagerDetectionIPInsertionTimeDetectionTimeSeverityToolAliasInferenceRuleExtraneousInfo
                      InternalRuleFiredThe 'Windows Disk Nearly Full' rule firedslem.localdomainslem.localdomain192.168.1.2Wed Apr 5 11:19:40 GMT-0500 2017Wed Apr 5 11:19:40 GMT-0500 20172TriGeoWindows Disk Nearly FullEmail [admin]
                      InternalRuleFiredThe 'Windows Disk Nearly Full' rule firedslem.localdomainslem.localdomain192.168.1.2Wed Apr 5 08:57:28 GMT-0500 2017Wed Apr 5 08:57:28 GMT-0500 20172TriGeoWindows Disk Nearly FullEmail [admin]
                      InternalRuleFiredThe 'Windows Disk Nearly Full' rule firedslem.localdomainslem.localdomain192.168.1.2Tue Apr 4 16:44:42 GMT-0500 2017Tue Apr 4 16:44:42 GMT-0500 20172TriGeoWindows Disk Nearly FullEmail [admin]
                    • Re: TriGeo Alert - Disk nearly full
                      curtisi

                       

                      Can you update the mail template for that alert and see if that changes the alerts you're getting?

                      1 of 1 people found this helpful
                        • Re: TriGeo Alert - Disk nearly full
                          cmarsh@wtamu.edu

                          Thanks for the link to the video, that is awesome! I have created an email template essentially matching what you (I believe it was you) set up in the video, assigned it to some uninformative alerts I've been receiving, and now will wait to see if I get that info. Unfortunately I haven't received any more disk alerts (or is that fortunate?) - I never took any action to correct them and never identified what agent nodes correlated to those alerts and so now I'll have to wait for it to happen again. But, I applied this new template to other alerts I've been getting that were using the original Default template and also didn't tell me from where they originated and so hopefully this will address those as well.

                           

                          Thanks again for taking the time to reply and also for creating/sharing that video. Very informative!!

                          • Re: TriGeo Alert - Disk nearly full
                            cmarsh@wtamu.edu

                            I just want to add that after updating the mail template with the settings in your video and then applying it to many of my alerts, I can now see where each alert is coming from along with a lot of useful info. Thanks for your time and your help!!