3 Replies Latest reply on Dec 25, 2015 9:52 AM by curtisi

    Help troubleshooting duplicate email alerts

    bmoore

      I am having difficulty troubleshooting my email alerts. I have gotten the email templates setup correctly and all of the information looks good (using account modification email template and I added the SourceAccount field).

       

      What I have noticed is that when an action occurs, I am getting multiple email's sent for the same action  but with different Email templates.

       

      Ex.  User Account deleted

       

      When someone deletes a user account in ADUC, I get an email from multiple Rules. I understand why this happens but I am working to eliminate the ones that are unnecessary.

       

      My findings from deleting a user account leads me to believe that these are the Rules triggering the action to fire off the emails:

      • User account Deleted Rule
      • User Account Events Rule
      • User Removed From Group Rule
      • Changes to domain objects Rule

       

      I am troubleshooting each one to see if there is a way to surpress the additional emails from being sent?

       

      So, can anyone tell me if there is a way to find out exactly which rules are triggering and sending out the alerts?

      I am new to LEM and am working my way through the videos and docs but have not found anything about surpessing messages.

       

      The goal is to get a single email alert for each action. Currently, I am getting 600 emails per hour and many are duplicated 2 or 3 times.The purpose is to have a paper trail (email) of all the changes to directory object.

       

      Thanks,

      Joshua

        • Re: Help troubleshooting duplicate email alerts
          curtisi

          Okay, easy question first: yes, you can find out what is sending you e-mail.

          1. Go to Explore --> nDepth
          2. Open the "Events" drawer and find "InternalRuleFired."  Click on this.
          3. Pick the "ExtraneousInfo" field from the list of fields.  Drag it up to the search bar.  You should have something like "InternalRuleFired.ExtraneousInfo ="
          4. To the right of the "=" enter "*email*" (no quotes) and pick a time frame.  Run a search.

           

          This should return every event where a rule fired and the LEM sent an e-mail.  The extraneous info will even list which user the LEM sent e-mail to, so you could further refine the search that way.  You'll also see rule names in the EventInfo if you want to see how frequently a particular rule fires.  These'll also be summed up under the "Refine Results" drawer.

           

          Harder question: can I suppress e-mails?  Sure, but it's going to take some work.

           

          The template rules are, by design, really broad.  The LEM devs would rather you get alerted too much than not enough, and shift the responsibility of reducing the chaff to you.  So, when you delete a user...

          • Is it a user delete? Yes!
          • Is it a user account event? Yes! Being deleted is a pretty critical user account event.
          • Is it a user being removed from a group? Yes! (Even if that group is just "Domain Users")
          • Is it a change to the domain? Yes! The domain has one less member now!

           

          So all of those rules return "TRUE" and all the corresponding actions are taken.  Can you suppress this?  Sure.  The super easy way would be "Turn off three of the rules."  The more complicated way would be to modify the broader rules to ignore precise events, such that "User Account Events" fires if a user account event happens that isn't a user delete.  You'd eventually have a stack of "NOTs" to exempt every user event that isn't covered by something else.  Then you modify the Group and Domain rules similarly.

           

          Or figure out which User events aren't covered by more precise rules (like the Delete, Disable, Enable, Lock, Unlock, etc rules) and change the correlation to only look for the leftovers you care about.  Ditto for the bigger rules.

           

          Basically, you would need to make the broader rules more precise by adding more precise criteria or removing what they'll alert off of.

           

          I hope that helps!

          1 of 1 people found this helpful
            • Re: Help troubleshooting duplicate email alerts
              bmoore

              Curtis, Thank you for the wonderful response.

               

              I did follow your suggestion for nDepth to see which ones were sending out emails. However, it did not return any results. Here is a screen shot:

              ndepth.JPG

              I ran it for each time frame from 2 hours to a week with zero results. Perhaps I did something wrong?

               

              Anyway, after thinking about what you said "The super easy way would be "Turn off three of the rules", I think I will discuss this with my team and see what we actually need alerts for (since all events will be in the database anyway). We may only need the Added to a group and User was Created or deleted setup as alerts.


              I agree with the thought of getting alerted too much rather than not enough, but management wants to be on the mailing list for these alerts and I do not wish to have their mailboxes explode with thousands of alerts.(we have 5000+ users and this will generate too many emails daily)


              I will evaulate what we really need alerting for and setup my rules accordingly.