14 Replies Latest reply on Nov 15, 2012 1:02 PM by kris_mortensen

    Send me an alert!

    kris_mortensen

      sorry for the noob questions that I have been posting, but thats pretty much what I am at this point....

       

      I want to configure email notifications (at some point i will get to custom actions) when a warning or error level NETLOGON event shows up from a computer in my Domain Controllers filter.  How do I set that up?

        • Re: Send me an alert!
          nicole pauls

          Try this in a filter first:

          Any Alert.DetectionIP = <domain controllers group>

          and

          Any Alert.EventInfo = *error*

          and

          Any Alert.ProviderSID = *netlogon*

           

          That last one might be EventInfo = *netlogon* not ProviderSID, but I'm not sure. If you had a sample event even from event viewer (scrubbed of incriminating details ), I could be more sure.

           

          If that works, you'll want to build a rule to notify you automatically whether you've got the console up or not.

           

          When building a rule to notify you via e-mail, you should refine it down a little more to the right event type, otherwise the memory/CPU of your appliance might need to be increased (using "any alert" means the rules engine has to check every alert for these strings, which can be costly). It's probably more like:

           

          ServiceWarning.DetectionIP = <domain controllers group>

          and

          ServiceWarning.EventInfo = *error*

          and

          ServiceWarning.ProviderSID = *netlogon*

            • Re: Send me an alert!
              kris_mortensen

              I am actually going to modify my dev environment in order to generate one of the alerts that I am looking for so that I can give you an example of something that I want to be alerted on. ...i'll be back with additional info. Thanks for your help!

                • Re: Send me an alert!
                  Kellie Mecham

                  Hey Kris,

                   

                  I'm Kellie from the UX (User Experience) group.  Our job is to gather feedback on product designs from our users that will help us make SolarWinds products easier to use and more useful.  This week and next we're running some LEM feedback sessions where we are specifically looking for "noobs" like you to give us some opinions on some redesigns screens and flows in LEM.  People who participate get 2,000 points in the thwack store, and more importantly, a chance to really impact product direction.  We'd really love it if you could spend some time with us reviewing some screen mockups around configuring LEM.  Please email me directly at kellie.mecham@solarwinds.com to find out more.  Sure hope to hear from you--and any other LEM noobs who might be interested.

                   

                  Thanks!

                   

                  Kellie (meech)

                • Re: Send me an alert!
                  kris_mortensen

                  below is a screen shot from windows for one of the events that I am looking to monitor for (sorry, but i still havnt figured out how to search for specific events in Log and Event Manager)

                  ScreenShot042.jpg

                    • Re: Send me an alert!
                      nicole pauls

                      Ah! It is a "Warning" not an "Error", so what I had won't find it. This one should come in as a ServiceWarning. You have the option of building the filter/rule/search based on the Event ID if you want to be very specific, or some combination of the source and data in the event to be a little more broad.

                       

                      This should work, and will also catch any other netlogon errors or warnings, too:

                       

                      ServiceWarning.DetectionIP = <domain controllers group>

                      and

                      ServiceWarning.ProviderSID = *netlogon*

                       

                      If you want to be more specific to that Event ID, the ProviderSID of the alert is generated by combining the Source with the Event ID (e.g. NETLOGON 5807).

                       

                      ServiceWarning.DetectionIP = <domain controllers group>

                      and

                      ServiceWarning.ProviderSID = netlogon 5807

                       

                      You can search for events from nDepth (Explore > nDepth) - it's a lot like building filters or rules, but with some more open options to search for occurrences across any field. For this one, you could search for "5807" to find just that EventID, or "NETLOGON" to find all events that contain NETLOGON, or you can search for specific fields.

                       

                      What I'd probably do in your shoes is:

                      Build a filter for this in Monitor (a subset of what you want):

                       

                      ServiceWarning.ProviderSID = *netlogon*

                       

                      Either generate the event again OR search nDepth to verify it's going to catch what you want (top left Gear > send to nDepth will send any filter criteria over to search historical data).

                       

                      Add the Domain Controllers bit (by name or using groups) and repeat to make sure it narrows it down accordingly (still does what you want) by generating again or searching again.

                       

                      Then, build a rule (unfortunately no quick way to send filter to a rule yet, but you'll be a pro at this in no time) to notify you automatically. Also worth noting, you can add a notification to a filter (like a popup or a sound), but if you want to get it via e-mail and/or when your console is closed, or want to do frequency ("5 of these in 30 minutes") you have to take it to a rule.

                      1 of 1 people found this helpful
                        • Re: Send me an alert!
                          kris_mortensen

                          I created a filter as you suggested, but none of the events are being captured in the filter, so I am confident that no alert will be generated either. I am kind of at a loss for what to do next...

                            • Re: Send me an alert!
                              nicole pauls

                              Fair assumption.

                               

                              I confirmed this alert should appear with
                              EventInfo: NETLOGON Warning

                              ProviderSID: NETLOGON 5807

                               

                              If you're not seeing anything for any netlogon alerts, that sounds fishy.

                               

                              Is that system sending other events to LEM? (Covering all the bases) If you create a filter (or search) for just the system you're testing on, do you see anything?

                                • Re: Send me an alert!
                                  kris_mortensen

                                  I changed the filter to use AnyAlert.ProviderSID = NETLOGON*, and then I saw events that I was looking for. I configured a rule based on this as well, and sure enough, got an email. The email doesn’t have that much detail in it though (I used the Default email template).. I will have to mess with it so that I get all of the info that I want. Thanks for your help!

                                  1 of 1 people found this helpful
                                    • Re: Send me an alert!
                                      nicole pauls

                                      Sweet! I feel like I should buy you a beer!

                                        • Re: Send me an alert!
                                          kris_mortensen

                                          Thanks for all your help! …Unfortunately, I don’t drink. As one of my coworkers says, “I feel bad for Kris… I know that when he comes to work in the morning, that’s the best he will feel all day!” ☺

                                            • Re: Send me an alert!
                                              nicole pauls

                                              Hah! I'm sure we could find a suitable therapeutic replacement to alcohol, I'm not a drinker myself either.

                                               

                                              Probably stealing a bit of Kellie's thunder since she asked you to participate in usability reviews, but since this is fresh, do you have any ideas on what would have made this easier? I'm thinking maybe:

                                              • Making it easier to see all of the events from a single device (the new "node details" dashboard in our RC should help)
                                              • Making it easier to search for an event more quickly with some criteria once you know it has occurred
                                              • Making it easier to build a rule from an example event once you've found it

                                               

                                              Anything else?

                                                • Re: Send me an alert!
                                                  kris_mortensen

                                                  Those are all great suggestions. I think part of the learning curve is just the fact that I don’t know what each object is. For example, you giving me a sample of what ProviderSID results in was really helpful.

                                                    • Re: Send me an alert!
                                                      Kellie Mecham

                                                      Hey Kris,

                                                       

                                                      I'm thinking after Thanksgiving (and boy do I have a lot of cooking to do to get ready!) it might be nice to get on a phone call with you and see your system (if you are allowed to show it to us,if not we can just talk) and discuss what we could make easier/more intuitive in context with reviewing your LEM.  Do you think around first week in December you might have 45 minutes or so to spend with us just talking about the experience of getting up and running?

                                                       

                                                      You can either email me directly or reply to this thread.  I LOVE talking to new LEM users because we learn so much from you!