This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Send me an alert!

sorry for the noob questions that I have been posting, but thats pretty much what I am at this point....

I want to configure email notifications (at some point i will get to custom actions) when a warning or error level NETLOGON event shows up from a computer in my Domain Controllers filter.  How do I set that up?

  • FormerMember
    0 FormerMember

    Try this in a filter first:

    Any Alert.DetectionIP = <domain controllers group>

    and

    Any Alert.EventInfo = *error*

    and

    Any Alert.ProviderSID = *netlogon*

    That last one might be EventInfo = *netlogon* not ProviderSID, but I'm not sure. If you had a sample event even from event viewer (scrubbed of incriminating details emoticons_wink.png), I could be more sure.

    If that works, you'll want to build a rule to notify you automatically whether you've got the console up or not.

    When building a rule to notify you via e-mail, you should refine it down a little more to the right event type, otherwise the memory/CPU of your appliance might need to be increased (using "any alert" means the rules engine has to check every alert for these strings, which can be costly). It's probably more like:

    ServiceWarning.DetectionIP = <domain controllers group>

    and

    ServiceWarning.EventInfo = *error*

    and

    ServiceWarning.ProviderSID = *netlogon*

  • I am actually going to modify my dev environment in order to generate one of the alerts that I am looking for so that I can give you an example of something that I want to be alerted on. ...i'll be back with additional info. Thanks for your help!

  • Hey Kris,

    I'm Kellie from the UX (User Experience) group.  Our job is to gather feedback on product designs from our users that will help us make SolarWinds products easier to use and more useful.  This week and next we're running some LEM feedback sessions where we are specifically looking for "noobs" like you to give us some opinions on some redesigns screens and flows in LEM.  People who participate get 2,000 points in the thwack store, and more importantly, a chance to really impact product direction.  We'd really love it if you could spend some time with us reviewing some screen mockups around configuring LEM.  Please email me directly at kellie.mecham@solarwinds.com to find out more.  Sure hope to hear from you--and any other LEM noobs who might be interested.

    Thanks!

    Kellie (meech)

  • below is a screen shot from windows for one of the events that I am looking to monitor for (sorry, but i still havnt figured out how to search for specific events in Log and Event Manager)

    ScreenShot042.jpg

  • FormerMember
    0 FormerMember in reply to kris_mortensen

    Ah! It is a "Warning" not an "Error", so what I had won't find it. This one should come in as a ServiceWarning. You have the option of building the filter/rule/search based on the Event ID if you want to be very specific, or some combination of the source and data in the event to be a little more broad.

    This should work, and will also catch any other netlogon errors or warnings, too:

    ServiceWarning.DetectionIP = <domain controllers group>

    and

    ServiceWarning.ProviderSID = *netlogon*

    If you want to be more specific to that Event ID, the ProviderSID of the alert is generated by combining the Source with the Event ID (e.g. NETLOGON 5807).

    ServiceWarning.DetectionIP = <domain controllers group>

    and

    ServiceWarning.ProviderSID = netlogon 5807

    You can search for events from nDepth (Explore > nDepth) - it's a lot like building filters or rules, but with some more open options to search for occurrences across any field. For this one, you could search for "5807" to find just that EventID, or "NETLOGON" to find all events that contain NETLOGON, or you can search for specific fields.

    What I'd probably do in your shoes is:

    Build a filter for this in Monitor (a subset of what you want):

    ServiceWarning.ProviderSID = *netlogon*

    Either generate the event again OR search nDepth to verify it's going to catch what you want (top left Gear > send to nDepth will send any filter criteria over to search historical data).

    Add the Domain Controllers bit (by name or using groups) and repeat to make sure it narrows it down accordingly (still does what you want) by generating again or searching again.

    Then, build a rule (unfortunately no quick way to send filter to a rule yet, but you'll be a pro at this in no time) to notify you automatically. Also worth noting, you can add a notification to a filter (like a popup or a sound), but if you want to get it via e-mail and/or when your console is closed, or want to do frequency ("5 of these in 30 minutes") you have to take it to a rule.

  • I created a filter as you suggested, but none of the events are being captured in the filter, so I am confident that no alert will be generated either. I am kind of at a loss for what to do next...

  • FormerMember
    0 FormerMember in reply to kris_mortensen

    Fair assumption. emoticons_wink.png

    I confirmed this alert should appear with
    EventInfo: NETLOGON Warning

    ProviderSID: NETLOGON 5807

    If you're not seeing anything for any netlogon alerts, that sounds fishy.

    Is that system sending other events to LEM? (Covering all the bases) If you create a filter (or search) for just the system you're testing on, do you see anything?

  • I changed the filter to use AnyAlert.ProviderSID = NETLOGON*, and then I saw events that I was looking for. I configured a rule based on this as well, and sure enough, got an email. The email doesn’t have that much detail in it though (I used the Default email template).. I will have to mess with it so that I get all of the info that I want. Thanks for your help!

  • FormerMember
    0 FormerMember in reply to kris_mortensen

    Sweet! I feel like I should buy you a beer! emoticons_wink.png

  • Thanks for all your help! …Unfortunately, I don’t drink. As one of my coworkers says, “I feel bad for Kris… I know that when he comes to work in the morning, that’s the best he will feel all day!” Relaxed