So for a few years we've had event monitoring set up to create tickets for any error or warning from the source "Server Administrator" in the System log. These events come from Dell Openmanage (OMSA) We get tickets for event 2188 periodically, which is for the write policy on the RAID controller. It changes to "write through" instead of caching, usually because of a test/learn cycle that runs every 90 days and drains the battery. I created a script to run when this event occurs - it checks to see if the controller is going through the learn cycle and only creates a ticket if it's not the learn cycle. I did this by creating a new event set and setting it to run the script. The problem is that the other event set still monitors for ANY event ID. If I add 2188 and set it to ignore, it will be ignored across all event sets. This led me down a rabbit hole and I realized that we need to change the way we monitor for these events.
I came up with 2 options and wanted to see how other people are doing this. We have all the zz[SYS] event sets and there are tons for Server Administrator. I can remove our existing event sets and apply all of these, which is much more granular. My question about these is whether or not they cover everything. There are several "severities" listed and http://help.kaseya.com/WebHelp/EN/ssp/7000000/index.asp#11588.htm says that severity 0 is for logging and reporting only. Event 2188 shows up in the Battery set for severity 0 - does this mean we don't need to monitor this event at all? Is it possible that there are important events that are not in one of these zz[SYS] event sets?
The other option I came up with is to continue using a wildcard for event ID and have ALL event alarms for Server Administrator run a script instead of create a ticket. I could then define logic to deal with different events and create tickets/run scripts if necessary. This solution seems pretty scalable, but still kind of messy. I'm also not sure if there's a way for an agent procedure to "catch" values in the alarm, such as the source and event ID. If an agent procedure is called by a monitor set, are there some variables you can use to look at the source/ID, etc? I know this is possible in service desk but with how our ticketing is set up, I would prefer the ticket NEVER gets created if it doesn't need to be.