Monitor > Alerts

Show me an explanation of the items on this page.

How do I filter event log alerts (using event sets)?

You can activate alerts independently for event log entries in the Application, Security, and System event logs. Within each log type, you can also filter on event type. Checking the box on any of the following generates alerts for all log entries matching the selected type:

• Error

• Warning

• Information

• Success Audit

• Failure Audit

If you check any of these boxes then all events, matching the selected type, generate an email alert. You can further filter and restrict which events generate alerts by defining Event Sets. Event sets let you specify specific events to alert on or to ignore. Use event sets to group together related events into a single item. For example, if you are monitoring an domain control, you can group together all the events your do not want to receive alerts for into a single event set. Then just assign the event set to the machine you are monitoring. You may assign more than one event set to the same machine. This lets you better organize event sets into functional areas.

The ignore flag is there to let you alert on all errors (or any other event type) except for a list of events you may not care about.

1. First set up a machine to alert on Errors (check the box) and select < All Events > from the event set list. This tells the system to generate an alert for every error event type.

2. Second, assign another event set to the same machine that lists all the events you wish to ignore.

The secret is assigning multiple event sets to the same machine (one to get all the alerts, and others to ignore the alerts you don't want).

Ignore events ALWAYS take precedence over other event sets. It an event matches an ignore event set, nothing will be alerts.

What is the time delay between when events occur and when the system sends the email alert?

Some alerts are processed immediately and some are processed at the next audit. Event log alerts are processed immediately as follows:

If you have alerting turned on then the agent reports up new event log entries at the next check-in period. If alerting is turned off (for that log) then the events are not reported up until the next time the agent has something else to do. Once reported up to the server, a background task on the server processes them in a batch mode. The server background task runs every two minutes. So if you have alerts activated, the longest delay you incur is 2 minutes plus the quick check-in period, plus what ever processing lag your external email system may have.

Application changes, HW Changes, and Low Disk alerts are processed with each audit. The alerts get issued when the latest audit data shows a change from the last audit run.

Get Files, LAN Watch, and Script Fail alerts are all generated when the script executes on the machine. Alerts are processed as a batch by the system background task that runs every two minutes.

How do I cancel an alert?

To cancel an alert:

1. Select the client machine account checkbox.

2. Press Clear.

The alert information listed next to the client machine ID is removed.

Where is this email coming from?

Email is sent directly from the VSA to the admin email address specified in the alert. The SMTP service in IIS 4 or 5 sends the email directly to the address specified. The From Address in the email can be anything but should be a valid email address. Set the From Address on the Configure page under the System tab.

How do I pass alert information to the script that runs when the alert happens?

You can configure every alert to run a script when the alert email notification is sent. The script can run on the machine that generated the alert or on any machine you like.

To configure an alert to run a script perform the following steps:

1. Check the after alert run box

2. Click the select script link and select a script from the list.

3. To run the script on a different machine, click the this machine ID link and select a machine ID from the list. To run the script on the same machine that generated the alert, leave this link set to this machine ID.

You can pass alert specific data to your script. Prior to running the specified script, the system automatically generates several variables (like those created by the Get Variable command) you can use in your script.

The system passes your script variables for the email subject body, and all the Data Keys related to the particular alert. To see the data keys for each alert, click the Format Email button. This screen lists the data keys at the bottom. Variable names match these data keys without the <> tags. Typical variables passed to the script include:

Why would I change the format of the email alert?

You may need to greatly restrict the size of an email alert message if the destination email address is a pager or some hand-held device.

How do I program an alert?

To program an alert:

1. Select the type of alert you want to program

2. Select the client machines you would like to apply the alert to.

3. In the Send Email To field, enter the email address where you want the alert sent to. To enter a separate email address for each client machine, select each client machine and enter an email address, then press Apply. Perform this for each client machine that requires a separate email address. Be sure to press Apply after entering each email address. To send an alert to multiple email addresses, enter the each email address separated with a comma in the Send Email To field.

• Summary Quick view summary showing what alerts are active on each machine. The email recipients list for each alert time appears if the alter is active on that machine ID. The alert type label becomes a link for active alerts. Clicking the link automatically selects the specific alert type and populates the form with the settings active in that alert.

• Agent status  Generate an alert when the agent is offline, first goes online, or someone has disabled remote control on the selected machine. Check the box and enter the amount of time the agent can be offline before the alert is sent. Checking the box to alert when an agent goes online sends an email every time the agent first goes online. Checking the box to disable remote control sends an email notification at the next quick check-in from the agent on the machine where remote control was disabled.  

Note: When ever the KServer service stops, the system suspends all agent online/offline alerts. If the KServer stops for more than 30 seconds, then agent online/offline alerts are suspended for one hour after the KServer starts up again. Rather than continuously try to connect to the KServer when the KServer is down, agents go to sleep for one hour after first trying to connect a couple times. The one hour alert suspension prevents false agent offline alerts when the KServer starts back up.

• Application Changes Sends a notification email when a new application is installed on selected machines.

• Get File Changes Sends a notification email when a script's Get File or Get File in Directory Path command executes, uploads the file, and the file is now different from the copy previously stored on the server. If there was not a previous copy on the server, the alert is sent. The VSA issues the alert only if send alert if file changed option has been selected in the script.

• Hardware Changes Sends a notification email when a hardware configuration changes on the selected machines. Detected hardware changes are the addition or removal of: RAM , PCI devices, disk drives.

• Low disk space  Sends a notification email when available disk space falls below the entered percentage of free disk space. When Low disk space is selected, the percentage of free disk space field appears.

• New Agent installed  Sends a notification email when a new Agent is installed on a client machine in the selected groups.

• Event Log  Sends a notification email when the selected machines write an event to the NT event log. When Event Log is selected, the three types of event log entries are shown: System , Security , and Application are the three event log entries that, when made, send out a notification email.

• LAN Watch Sends a notification email when the LAN Watch scan detects a new device connected to the machine's LAN.

• Protection Violations  Sends a notification email when selected security breaches occur on a client machine: File integrity violation, File access violation, and Network access violation.

• Script Exec Failure  Sends a notification email when a script fails to execute on a client machine.

• System Alerts  Sends a notification email when selected events occur on the System Server: Admin account disabled and KServer stopped.

• Patch Alert is set in the Patch Alert function under the Patch Mgmt tab. The system sends the selected administrator an email alert whenever Scan Machine discovers one of the three different patch alert cases.

1. A new patch is available for the selected Machine ID.

2. A patch installation failed on the selected Machine ID.

3. The patch location for a new patch available for any machine is missing. See Patch Location for details.

Depending on the alert selected, the information provided will change. Some alerts require you to enter a number or select a checkbox. After selecting an alert, make sure you enter the necessary criteria in the field, if necessary.

The email address is shown in the Email Address column next to each client machine.

Note: The System Alerts notification does not provide a client machine list. The events listed only apply to the System Server.

Explanation of items on this page

The following selections are accessible from the Alerts function:

Apply

Applies the information entered. Confirm the information in the client machine list.

Clear

Clears all entered information. Selecting a client machine then pressing Clear deletes any entered alert information.

Copy

Only active when Summary is selected. Copy takes all the alerts settings for the selected Machine ID (select by clicking the select machine ID link) and applies the same settings to all other checked machine IDs.

Select Alert to Activate

• Agent status. Generate an alert when the agent is offline, first goes online, or someone has disabled remote control on the selected machine. Check the box and enter the amount of time the agent can be offline before the alert is sent. Checking the box to alert when agent goes online sends an email every time the agent first goes online. Checking the box for disable remote control sends an email notification at the next quick check-in from the agent on the machine where remote control was disabled.

• Application Changes  Sends a notification email when a new application is installed on selected machines.

• Get File Changes  Sends a notification email when files retrieved from remote machines via a script Get File command changes from the last time the Get File command ran. The Get File command must have either the Overwrite existing file and send alert if file changed setting or the Save existing version, get file, and send alert if file changed setting selected.

• Hardware Changes  Sends a notification email when a hardware configuration changes on the selected machines. Detected hardware changes are the addition or removal of: RAM , PCI devices, disk drives.

• Low disk space  Sends a notification email when available disk space falls below the entered percentage of free disk space. When Low disk space is selected, the percentage of free disk space field appears.

• New Agent installed  Sends a notification email when a new Agent is installed on a client machine in the selected groups.

• Event Log  Sends a notification email when the selected machines write an event to the NT event log. When Event Log is selected, the three types of event log entries are shown: Error, Security , and Application are the three event log entries that, when made, send out a notification email.

• LAN Watch Sends a notification email when the LAN Watch scan detects a new device connected to the machine's LAN.

• Protection Violations  Sends a notification email when selected security breaches occur on a client machine: File integrity violation, File access violation, and Network access violation.

• Script Exec Failure  Sends a notification email when a script fails to execute on a client machine.

• System Alerts  Sends a notification email when selected events occur on the System Server: Admin account disabled and KServer stopped.

• Patch Alert. Set in the Patch Alert function under the Patch Mgmt tab. The system sends the selected administrator an email alert when ever Scan Machine discovers one of the three different patch alert cases.

1. A new patch is available for the selected Machine ID.

2. A patch installation failed on the selected Machine ID.

3. The patch location for a new patch available for any machine is missing. See Patch Location for details.

Email Recipients

Email address where the event notification is sent. You can specify a different email address for each client machine, even if it is for the same event. The "From:" email address is specified in the Server Info function of the System feature tab. The event notification may be sent to more than one email address by putting a comma before each additional address.

Add to current list

Select this radio button to add the email address to the current list of recipients for that alert. If the name is already on the list for a selected machine ID, then any changes to alert settings are applied but the address list remains the same.

Replace list

Set the recipient email list for this alert to the list entered. This over-writes any existing email list.

Remove

Remove an email address from the recipient list for all selected machines without modifying any alert parameters. Use this button to quickly remove an email address for alerts without having to worry about setting up alert parameters.

Format Email

Change the default message sent with each email alert by clicking this button.

After alert run...

When an alert is generated you can set up the system to automatically run a script at the same time the email notification is sent out. You can run the script on the machine that generated the alert or any other machine you wish.

Edit icon

Clicking the edit icon between the check box and the machine ID, for any machine, automatically loads the form with the settings matching the selected machine IDs alert.

Machine.Group ID

Lists the client machines according to the Specify Accounts criteria.

Email Address

Comma separated list of email address where the event notification will be sent.

Note: The System Alerts notification does not provide a client machine list. The events listed apply only to the System Server.