Monitoring Event ID

Hi

I submit that we should not be using include lists, but rather exclude lists forerrors. What are you going to tell your customer when you miss an event ID because it was not in your "include" list.

I can think of for instance, the event ID that says that a drive has failed in a RAID 5 array, but since it was not in your list, you are unaware that a drive failed..... and now a second drive fails. Of course you will know real quick that a second drive has failed because the phone will be ringing....

Now, I do like include lists for warnings and information events, but not for errors



hc






Legacy Forum Name: System Administration Scripts,
Legacy Posted By Username: howardc

I should have clarified that I meant the list wasfor automated service requests. I agree for automated tickets that an exclude list could be used, but not event log monitoring in general. As you stated above, What are you going to tell your customer when you miss an event id that was on your "exclude" list?

When we started monitoring event logs (and opened the flood gates)many of the errors were erroneous attimes, but not at other timesandmay or may not warrant a service request and subsequently a technicians time.

We moved to a two tiered monitoring system which included both automated and human review of event logs. We have a number of indivdals in our helpdesk monitoring a centralized mailbox which receivesALLerrors andthen open service requests based on the error and it's validity. In addition, we utilize the include listto detectcritical errors we havedetermined to definately, without question, require a service request. We found this process minimizes any human error in identifying critical errors, but stillmaintains a mangeable balancewith erroneous issues.

We have found Event ID7,11, 20and/or Source Perc has been successful in identifying raid issues, but would love to hear your experiences to improve the list.


Legacy Forum Name: System Administration Scripts,
Legacy Posted By Username: cberger

Hi

I like the two tiered monitoring, I had not thought of that.

As for PERC errors, we dont use PERC controllers unless the client absolutely demands them.

We much prefer ServeRAID raid controllers in the systems that we specifiy. And those systems be IBM Servers...

I had not thought about specifing all errors from a specific Source, but that is a good idea that works for raid errors, but does not work for say Exchange errors.

hc






Legacy Forum Name: System Administration Scripts,
Legacy Posted By Username: howardc

Agreed - Identifying errors from the Source, which Irecently picked up from the nice folks over at InHouseIT, is a great methodfor controllers, but not for Exchange services where youmay need more specific event id's to identify the issues.

I too like the ServeRAID better and have also recently started to move away from Dell/Perc.


Legacy Forum Name: System Administration Scripts,
Legacy Posted By Username: cberger

Guys here is what needs to be setup to properly monitor events:

You should start with creating containers like these:
Disk Drive Events
Common Workstation Events - Can contain App Events or System
Common Server Events - Can contain App Events or System
AntiVirus Events
Backup Events
Security Events
Test Events - Always good for searching your database and running a report.

Then you attach these events to the machines you want to monitor for Application, System, and Security. Some of these you will set for system and app events.
It is also Very important you include Descriptions to these events as well.

Then insert items (events) that only pertain to things you want to monitor and create a ticket for: Example is attached:



Legacy Forum Name: System Administration Scripts,
Legacy Posted By Username: sourceminer

Hey, folks. I'm wondering whether the desktop monitoring suggestions here are too limited. Maybe these are alerting you to critical things like disk failures, but shouldn't we also be concerned about network communication problems and hanging applications? They could be signs of problems that are causing a lot of frustration but not quite enough for the end user to pick up the phone and yell at you.

I like the idea of getting alerts for everything except those things that everyone agrees are always safely ignored. Has anyone got a model exclude list for desktop events like this?


Legacy Forum Name: System Administration Scripts,
Legacy Posted By Username: David_Schrag

David

We have all alerts go to us, over time we are either fixing the root cause of the alert (and am suprised at how many time errors there are) or setting the ones that we dont care about to Ignore. We had added to out ignore list the terminal server printer creating error that occurs everytime we TS into a server for instance.

We dont watch the infomation and warnings; but what we have started doing is add to alert list those warnings/infomation log entries that we care about.

hc






Legacy Forum Name: System Administration Scripts,
Legacy Posted By Username: howardc

Iam creating the alerts and the custom alert sets and it is all working well. One question/problem is how it is displayed.

For example many of our clients use the ultrabac backup solution which does Application log events. Super. However, what is reported in the alerts for a backup job failure is:

Application log generated Error Event 2417 on fc-msl-dc1.fc-systems.lan-servers

That is kind of cryptic for the admin scanning the alerts in the morning and assigning tickets.

In this particular case it is a backup job that failed because the administrator canceled it, event ID 2417 tells me that. Would it be possible to have the name of the event set used to generate the alert used as the name of the alert. Any event in the "Ultrabac Backup Failure" event set show up under that title rather than: Application log generated Error Event 2417 on fc-msl-dc1.fc-systems.lan-servers.

This will be especially useful when events are automatically converted to tickets. Then the ticket name would be more meaningful.


Legacy Forum Name: System Administration Scripts,
Legacy Posted By Username: trebligb2

Quick question - when we create event sets and put Event IDs in them, do ALL events continue to be logged by the system, only we hear (via email) about the ones we include in the event sets? Is there a way to have every event created sent to us so we can begin building our event sets so that we can really filter what we need to see and what we don't? Thanks. - Rob D.


Legacy Forum Name: System Administration Scripts,
Legacy Posted By Username: rdempsey

Disregarding my last question, my new question is this: we want to have certain events send alerts to an email address where we can review them and act if necessary, then we have alerts that we know for sure need to be sent to a different email address to auto-generate a service ticket, and other events we want to ignore. This seems like just the thing that cberger has set up.

I understand the concept of event sets, but my question is if it is possible to send alerts (from event sets) to different email accounts, for a single machine?

It appears that for a single machine all alerts will go to either a single email address, or multiple, but ALL alerts for ALL event sets will go to those email addresses. It doesn't appear that you can split them up. Is my understanding correct? I appreciate any and all help you all can give me. Thank you.

- Rob Dempsey


Legacy Forum Name: System Administration Scripts,
Legacy Posted By Username: rdempsey

I have that same question, how can I send emails to different address sets based on different alert sets.

For example, I want to alert one group when a server reboots (This would be a normal reboot). I want to alert a different group when a server blue screens(unexpected shutdown).

How can this be accomplished?




Legacy Forum Name: System Administration Scripts,
Legacy Posted By Username: Roy.Davis

You will be able to specify a different set of e-mail addresses per event set in version 4.6.

Legacy Forum Name: System Administration Scripts,
Legacy Posted By Username: jimalves

Attached are a list of critical event id's that we currently monitor for on servers and desktops. Please let me know if there are any event id's that you have found should or should not be included in this list. Note: This does not include Arcserve which we would like to add..


Legacy Forum Name: Monitoring Event ID,
Legacy Posted By Username: cberger

Hello,

I have set up our alerts to monitor all events and set up an ignore list for things we dont wish to be alerted on. We found that using specific event sets was a bitriskier as we dont know everything we may be alerted on.

Anyhow, I have my ignore list and everything is working well, except for NTBackup alerts(?), they are still reporting even though I have them ignored.

I am using backup assist which uses NTBackup to perform, it sends a 8000,8001,8008, and 8009event IDs upon starting/completing each piece of a backup(ie, system state, exchange, user folders, etc.) so I want to ignore this so my event log score on the report isnt lowered by info events associated with a successful operation.

Short story long...I was hoping someone could help with why they would be reported even though they are being ignored.


Legacy Forum Name: System Administration Scripts,
Legacy Posted By Username: BillJRT

Can some one  help me for a event ID for acronis true image for sbs.

Backup fail acronis true image for sbs

Event ID Acronis log contains                                                        Level Module Code

8 Backup fails and Acronis log contains "write error". 4 1 502