Kaseya Community

How we create and update our event sets - for those interested

  • Hi community, 

    For those interested,  i wrote a post you can see here: http://community.kaseya.com/xsp/f/27/t/15481.aspx 

    It outlined how even the best Event Sets can be incorrectly configured at time, it showed that we are all human and no ones monitoring is perfect

    Since that post, i've gone away and found a way of making sure we are capturing everything we need to. 

    This post is particularly relevant if you use the NOC Event Log sets privately.

    First up, we had to make sure we weren't capturing too much information, generally, we don't care about informational alerts, and we don't capture security events, so we got rid of them.

    As you can see, we only capture Errors and Warnings, for Application, Directory Service, DNS Server, FRS and System. 

    From there, we set up a connection from our pc's to our SQL server using Excel. A while ago i wrote a paper on how to connect to SQL through Excel. It wasn't the best written piece but it might help

    Find that here: http://simpleit.tumblr.com/post/6809391519/excel-and-sql-integration 

    The Excel query we use to pick up all event logs that are collected for the day is:

    select b.displayname, a.eventid, a.source, b.groupName, count(a.agentguid) cnt
    from ntEventLog20120710 a, machnametab b
    where a.agentguid = b.agentguid
    group by b.groupName, b.displayname, a.eventid, a.source
    order by cnt desc

    It is worth noting that the ntEventLog field changes daily, if you are running this query change the date each day. 

    So, once the data is in Excel, we pivot that data and it looks something like this

    As you can see, i've highlighted green the alerts we can safely ignore. Unfortunately i don't think we can stop these coming into the Kaseya Server database, but highlighting them green i know i can dismiss them.

    I'm working on writing a Macro that will the Cells green if it pics up event logs we don't want to see - saves me going through thousands of events a day.

    For those of you on Kaseya 6.2, you can easily add to your event sets to ignore these alerts forever. 

    Select Monitor Agent Monitoring > Event Log Alert  Search for "ignore.app.events or whatever you use for ignoring events > Select application Edit ignore.app.events. Ignore with what ever source filter you saw in your event sets and eventid

    I have found that it has identified dozens of event logs that should really been actioned, so we went and added them to alarm sets too.

    I think with about half an hour of attention a day, we have improved our monitoring 200 percent, we are missing far less, my customers are loving the sheer volume of actionable events we are finding. 

    Anyway, happy to hear your thoughts, if you have a better way of doing this let me know

    The NOC team event sets are great, but as i mentioned at the start, we are all fallible, human beings, use the NOC team event sets as a started and extend on them yourselves

    Cheerio all, Mark. 

  • Thanks for this.

  • Nice job, Mark. Thank you.