Kaseya Community

Rookie question regarding Event Logs

  • Hi Folks,

    We are just getting underway with using Kaseya. We are a 3rd party support organization. We currently have about 200 agents total deployed across 6 customer sites. Regarding Monitor/Alerts/Event Logs, we are currently receiving alerts for all generated error events. Obviously this is not a long-term solution, because we can’t see the forest for the trees with so many alerts coming in. I’ve looked at the Kaseya video training and looked around the on-line documentation here, but I’m not grasping how to start on effectively whittling down the number of alerts to a meaningful level. Do you create what Kaseya calls an “ignore list” or “monitor set” (not sure what either of those actually mean) and then do you universally apply those or perhaps have different sets for different customers? Do you simply disable some types of logging? (That seems dangerous.) I’m looking for some kind of best practices for getting this started, or input from others who have done this. I realized this is a VERY rookie question, but I’d appreciate any direction.

    Thanks,

    Gregg

    Legacy Forum Name: Rookie question regarding Event Logs,
    Legacy Posted By Username: egltech
  • egltech
    Hi Folks,

    We are just getting underway with using Kaseya. We are a 3rd party support organization. We currently have about 200 agents total deployed across 6 customer sites. Regarding Monitor/Alerts/Event Logs, we are currently receiving alerts for all generated error events. Obviously this is not a long-term solution, because we can’t see the forest for the trees with so many alerts coming in. I’ve looked at the Kaseya video training and looked around the on-line documentation here, but I’m not grasping how to start on effectively whittling down the number of alerts to a meaningful level. Do you create what Kaseya calls an “ignore list” or “monitor set” (not sure what either of those actually mean) and then do you universally apply those or perhaps have different sets for different customers? Do you simply disable some types of logging? (That seems dangerous.) I’m looking for some kind of best practices for getting this started, or input from others who have done this. I realized this is a VERY rookie question, but I’d appreciate any direction.

    Thanks,

    Gregg


    Welcome Gregg,

    We've had discussed this topic many times before so hang on for a bumpy ride as you'll get more opinions that I'll know what to do with.

    We too are a third party with about double the agents. Our philosophy regarding the event logs is that we ignore nothing, sometimes you'll need to see a patern or if errors come with partners, so if you ignore something you might be ignoring something that matters, yes even the imfamous even id 1000 can be of use. When we first got on board with Kaseya we were getting well over 2000 event alerts a day. Boy were we doing a good job before. So me and the one other tech (at the time) went at it, and in a few weeks we were able to get them down to about 200 a day. The key for us was that we were able to find the problem and fix it, once we saw a pattern we scripted the solution and deployed as needed. To answer your question we've deployed monitor sets. and the sets keep growing. and being adjusted. So I hope that I've kind of rambled my way into an answer for you... My saying is to fix everything that can be fixed, after that blame the user!

    Legacy Forum Name: How-To,
    Legacy Posted By Username: thirteentwenty
  • My saying is to fix everything that can be fixed, after that blame the user!


    hahahaha i like that!
    well i have been using kaseya for about 3 weeks now and the event log is slowing down very fast.
    i get alot about NTC time n stuff that i ignore but besides that i try to fiox every event as it comes in (if it needs fixing) and if you fix it once and make a scrpt for it you wont need to again on another server because all you need to do is run that scrpit/...and WALLA you have a libary of fixes ready to deploy

    Legacy Forum Name: How-To,
    Legacy Posted By Username: Iggy1328
  • The strategy I used was to start by monitoring all errors, and then building an ignore set/sets where appropriate. I would love to ignore nothing, but unfortunately there are situations where an error will be logged with nothing to do about it. For instance, running backup exec with SQL on a server that has ACT!, for instance, will always generate a login failure. ACT! protects the SA password and charges a hefty fee to get access to it, so its not worth reacting to. Since ACT! performs its own backups outside of Backup Exec or some other third-party utility logging in to back up the database it is safe to ignore.

    For Warnings, it is the exact opposite. Ignore everything, and build a list of warnings that you want to get notified about. Exchange store size, disk warnings, etc.

    Once I got this far, the next step was to then begin scripting resolutions. Disk warnings trigger a check disk script instead of creating a ticket. If the check disk finds any errors, it sends an email to the ticket system. This way, some of the initial legwork is done already. Another example would be the W32time errors - this can trigger a manual re-configuration and re-sync of the time server to another source. The scripted response is a matter of creativity and resourcefulness.

    I would love to hear other people's ideas about what kind of events trigger an automatic maintenance.

    Legacy Forum Name: How-To,
    Legacy Posted By Username: drodden
  • I've got a set to ignore the missing DC errors that gets deployed to laptops that are frequently taken out of the office as a matter of policy. These laptops will always generate a handful of alerts every time they boot up outside the network, and we can rely on fixed machines to let us know when there's an issue with the DC (in addition to monitor sets on the DC itself).

    As soon as I get a second group giving the "master browser election" errors I'll get around for making an ignore set there too. (Someone smack MS for that one It's a regular part of Windows networking, why is it an error?)

    I'm very much of the "look at everything then filter out what you don't need" camp. Even without filters, our older clients generate very few error events (two of our clients get them so rarely that I've gone back and made sure they were enabled!). I have yet to see a new client do less than 100/day once reporting is enabled (these are

    Look for the pattern and roll out scripts. When you point the time to the local U, and fix the driver for that one printer, they'll be noticing fewer errors on their computers.

    Then, when you re-run the executive summary to send them with their first monthly invoice, they'll see that score climbing! Good way to show them the value.

    Remember, a lot of people believe that errors are a normal part of computing, and just make do. If you fix a problem that they thought was something they had to live with... They will love you, even if it was only a minor nuisance.

    btw, I'd suggest adding a monitor set that watches for excessive pagefile usage. When you call them up and say "Hey, I noticed your computer crashes a lot and I can see a $100 upgrade that will stop that" they will love you even more.

    My saying is to fix everything that can be fixed, after that blame the user!

    Better still, sometimes you can trap the user error and script the fix that undoes what they messed up, like my personal favorite "My printer keeps disappearing!"
    Or you could have it do something funny, like pop up a message that says "STOP DELETING THE PRINTER I'm getting tired of putting it back -signed your computer."

    Legacy Forum Name: How-To,
    Legacy Posted By Username: dwujcik
  • Thanks to all for your insightful ideas. We'll start digging in!

    Legacy Forum Name: How-To,
    Legacy Posted By Username: egltech
  • dwujcik

    As soon as I get a second group giving the "master browser election" errors I'll get around for making an ignore set there too. (Someone smack MS for that one It's a regular part of Windows networking, why is it an error?)


    Or you could fix it. Master Browser for me has ALWAYS been different computers with different subnet masks. Ensure EVERYTHING (workstations, servers, printers, routers etc.) is using the same subnet mask and this error will go away on it's own.

    Regards,
    Chris

    Legacy Forum Name: How-To,
    Legacy Posted By Username: chris@busy.co.nz