What we need: Need to set specific event id's to only alert if it happens x times an hour.
Problem: All of our event sets have multiple event ids in them including the ones we want to ignore.
Possible solution: Remove that event id from that set, make a new set with only that event id and apply with the correct monitor settings to alert when x events/hour occur.
Is there a better idea or something I am missing to make this an easier task?
I had the same problem, I decided to create a second set with the Ids to ignore and apply both sets to agents
Matt, not that I know of, I think you are on the right track. Have you tried creating the specific event set and see if it will override the others? I believe event sets work from most specific to least specific, so if you could populate a few more of the fields with actual sources vs. "*", you might find that one will grab it.
Never tried it, but worth a shot. Otherwise do what you were saying.
Hey Matt Burnette
Hope all is well.
Event Sets can be very tricky when configuring and have a lot of different conditions around them.
It is best to understand exactly how the ignore/alert event sets will work when combined.
If you have two rules within the same event set that match exactly it will obey the ignore rule and ignore the event log:
If you have two event sets assigned to a machine, one that ignores and one that alarms on the same exact event condition - it should ignore the event ID 51:
If you have a two rules in an event set or two event sets with two unique rules, meaning the filters applied do not match exactly it will trigger an alarm depending on the fields provided in the Event Log.
Here is an example:
From the above screenshot, any event ID 53 will be ignored if it has the word "Kaseya" in the description. If it does not have Kaseya in the description it will trigger an alarm.
To address your questions directly:
Please keep in mind that the Alert when this event occurs X times within X time period counts the event in a volatile fashion.
This means the count is not static - if the agent is restarted or the machine is restarted the count is then reset back to 0.
This is not necessarily a bad way to configure your event log alerts. As long as your ignore rules are not conflicting with any of the other rules.
Which sounds like what might be problematic for you.
This can be done and it may resolve the issue. As per my notes on the configuration above - you could possibly create a new rule in the same set searching for slightly different parameters from your ignore rule which should generate an alarm.
This also depends on how the ignore rules are configured within your specific event set.
I would like to understand the current problem a little bit more to verify if there is a better way to do this.
Additionally, I recently did the following TechJam on Event Log Alerts/Fixed Alerts which discusses how to troubleshoot if an alarm is generated by your event log set, how to generate/test against those event logs, which may help you in debugging what is going on:
Let me know if you have any questions and feel free to reach out to me directly (PM/Email) if you want to expand on this conversation.