Maybe someone from the forum can help me out on this one. Thanks in advance for any responses.
I want to move completely to policy management but here is one scenario I can't figure out.
I have custom scripts that identify backup software which is populated in a custom field. I then apply event log settings based on this view. One of the event log setting is to alert if I haven't seen a failed or completed backup in the last 30 hours. Policy management seems to do its job when a machine is in compliance with this view. Applies the event log settings and good to go. However, if my backup check script runs and that backup software is removed (removed from custom field), it leaves the view.
If this was a reactive event log, it wouldn't be a problem since it just wouldn't see the event id. But because this is an exception event log setting it throws an alert because obviously it hasn't seen a completed or failed backup because that software is no longer running. Support is saying I would have to go through and find any of these machines that have dropped out of the view and remove the event log.
Any one else have any ideas on how to accomplish this without manual intervention?
Why don't you use a view to get your backup software ? The view will be refresh every time the audit are run on these machine then with Policy Management the thing your are discribing will work no ?
That is correct. The problem I have is that when the machine drops out of the view, the event log settings are not automatically removed.
Oh, for me you have to contact the support, looks like a bug... normally this works...
Thanks. I did contact support and they said I would have to go and remove the event log settings manually. Can anyone else confirm this behavior?