For those interested, i wrote a post you can see here: http://community.kaseya.com/xsp/f/27/t/15481.aspx
It outlined how even the best Event Sets can be incorrectly configured at time, it showed that we are all human and no ones monitoring is perfect
Since that post, i've gone away and found a way of making sure we are capturing everything we need to.
This post is particularly relevant if you use the NOC Event Log sets privately.
First up, we had to make sure we weren't capturing too much information, generally, we don't care about informational alerts, and we don't capture security events, so we got rid of them.
As you can see, we only capture Errors and Warnings, for Application, Directory Service, DNS Server, FRS and System.
From there, we set up a connection from our pc's to our SQL server using Excel. A while ago i wrote a paper on how to connect to SQL through Excel. It wasn't the best written piece but it might help
Find that here: http://simpleit.tumblr.com/post/6809391519/excel-and-sql-integration
The Excel query we use to pick up all event logs that are collected for the day is:
select b.displayname, a.eventid, a.source, b.groupName, count(a.agentguid) cntfrom ntEventLog20120710 a, machnametab bwhere a.agentguid = b.agentguidgroup by b.groupName, b.displayname, a.eventid, a.sourceorder by cnt desc
It is worth noting that the ntEventLog field changes daily, if you are running this query change the date each day.
So, once the data is in Excel, we pivot that data and it looks something like this
As you can see, i've highlighted green the alerts we can safely ignore. Unfortunately i don't think we can stop these coming into the Kaseya Server database, but highlighting them green i know i can dismiss them.
I'm working on writing a Macro that will the Cells green if it pics up event logs we don't want to see - saves me going through thousands of events a day.
For those of you on Kaseya 6.2, you can easily add to your event sets to ignore these alerts forever.
I have found that it has identified dozens of event logs that should really been actioned, so we went and added them to alarm sets too.
I think with about half an hour of attention a day, we have improved our monitoring 200 percent, we are missing far less, my customers are loving the sheer volume of actionable events we are finding.
Anyway, happy to hear your thoughts, if you have a better way of doing this let me know
The NOC team event sets are great, but as i mentioned at the start, we are all fallible, human beings, use the NOC team event sets as a started and extend on them yourselves
Cheerio all, Mark.
Thanks for this.
Nice job, Mark. Thank you.