Next Topic

Previous Topic

Alerts

Monitor > Alerts

The Alerts page creates "alert type" alarms for managed machines. The Alerts page provides a simple set of typical parameters for setting up alarms and their corresponding alerts quickly on a managed machine. For example, low disk space is frequently a problem on managed machines. Selecting the Low Disk type of alarm displays a single additional field that lets you define the % free space threshold. Once defined, you can apply this alarm immediately to any machine ID displayed on the Alerts page and specify the type of alert response to the alarm.

Note: Monitor Sets represent a more complex method for triggering alarms. Typical alarm conditions should be defined using the Alerts page.

Note: Alerts also have a generic meaning. See Alert in the Glossary.

Group Alarms

Alerts are automatically assigned to a Group Alarm category. If an alert alarm is triggered, the group alarm it belongs to is triggered as well. Group alarms display in the Group Alarm Status pane of the View Console page.

To Create An Alert

  1. Select an alert function from the Select Alert Function drop down list.
  2. Check any of the last three checkboxes to perform their corresponding actions when an alarm is triggered for a machine ID.
  • Create Alarm - This is always checked. "Alert type" alarms are enabled when an alert is defined on this page.
  • Create Ticket
  • Run Script after alarm.
  • Email Recipients
  1. Set additional email parameters.
  2. Set additional alert-specific parameters. These display when you select an alert function.
  3. Check the machine IDs to apply the alert to.
  4. Click the Apply button.

To Cancel an Alert

  1. Select the machine ID checkbox.
  2. Click the Clear button.

    The alert information listed next to the machine ID is removed.

Creating Event Based Alerts

You can activate alerts for different types of events recorded in Application, Security, and System event logs stored on managed machines.

Note: You can display event logs directly. On a Windows machine click Start, then click Control Panel, then click Administrative Tools, then click Event Viewer. Click Application, Security or System to display the events in that log.

  1. Check the box next to any of the following event types:
    • Error
    • Warning
    • Information
    • Success Audit
    • Failure Audit
  2. Click the Add or Replace radio options, then click Apply to assign selected event type alerts to selected machine IDs.
  3. Click Remove to remove all event based alerts from selected machine IDs.
  4. Optionally filter the triggering of event based alerts using Event Sets.

Passing Alert Information to Emails and Scripts

The following variables are populated with information when an alert is triggered. These variables can be referenced by any email you send or script you run in response to the triggering of an alert.

Note: Changing this email format changes the format for all alert emails. You may need to greatly restrict the size of an email alert message if the destination email address is a pager or some hand-held device.

Note: The table below shows, as an example, the set of variables available for an event based alert. Each alert function provides a different set of variables.

Within an Email

Within a Script

Description

<at>

#at#

alert time

<cg>

#cg#

Event category

<cn>

#cn#

computer name

<ed>

#ed#

event description

<ei>

#ei#

event id

<es>

#es#

event source

<et>

#et#

event time

<eu>

#eu#

event user

<gr>

#gr#

group ID

<id>

#id#

machine ID

<lt>

#lt#

log type (Application, Security, System)

<tp>

#tp#

event type - (Error, Warning, Informational, Success Audit, or Failure Audit)

 

#subject#

subject text of the email message, if an email was sent in response to an alert

 

#body#

body text of the email message, if an email was sent in response to an alert

Alert Processing Time Delays

Some alerts are processed immediately and some are processed at the next audit. Event log alerts are processed immediately as follows:

  • If alerting is turned on the agent reports new event log entries at the next check-in period. If alerting is turned off (for that log) then the events are not reported up until the next time the agent performs a full check-in. Once reported up to the server, a background task on the server processes them in a batch mode. The server background task runs every two minutes. So if you have alerts activated, the longest delay you incur is 2 minutes plus the quick check-in period, plus what ever processing lag your external email system may have.
  • Application changes, HW Changes, and Low Disk alerts are processed with each audit. The alerts get issued when the latest audit data shows a change from the last audit run.

Get Files, LAN Watch, and Script Fail alerts are all generated when the script executes on the machine. Alerts are processed as a batch by the system background task that runs every two minutes.

Select Alert Function

Depending on the alert selected, the information provided changes. Some alerts require you to enter a number or select a checkbox. After selecting an alert function, make sure you enter the necessary criteria in the field, if necessary.

Summary - The quick view summary shows what alerts are active on each machine. The email recipients list for each alert time appears if the alert is active on that machine ID. The alert type label becomes a link for active alerts. Clicking the link automatically selects the specific alert type and populates the form with the settings active in that alert.

Agent status - Generates an alert when the agent is offline, first goes online, or someone has disabled remote control on the selected machine. Check the box and enter the amount of time the agent can be offline before the alert is sent. Checking the box to alert when an agent goes online triggers an alarm every time the agent first goes online. Checking the box to disable remote control triggers an alarm at the next check-in from the agent on the machine where remote control was disabled.  

Note: When ever the KServer service stops, the system suspends all agent online/offline alerts. If the KServer stops for more than 30 seconds, then agent online/offline alerts are suspended for one hour after the KServer starts up again. Rather than continuously try to connect to the KServer when the KServer is down, agents go to sleep for one hour after first trying to connect a couple times. The one hour alert suspension prevents false agent offline alerts when the KServer starts back up.

Application Changes - Triggers an alarm when a new application is installed or removed on selected machines.You can exclude directories from triggering an alarm. The exclude path may contain wildcards. You can add to the current list of applications, replace the current application list or remove the existing application list. Excluding a folder excludes all subfolders. For example, if you exclude *\windows\*, c:\Windows and all subfolders are excluded.

Get File Changes - Triggers an alarm when a script's Get File or Get File in Directory Path command executes, uploads the file, and the file is now different from the copy previously stored on the server. If there was not a previous copy on the server, the alert is triggered. The VSA issues the alert only if send alert if file changed option has been selected in the script.

Hardware Changes - Triggers an alarm when a hardware configuration changes on the selected machines. Detected hardware changes include the addition or removal of RAM, PCI devices, and disk drives.

Low disk space - Triggers an alarm when available disk space falls below the entered percentage of free disk space. When Low disk space is selected, the % free space field displays.

Application Event, Security Event or System Event - Triggers an alarm when selected machines write an event to Windows event logs. See Creating Event Based Alerts above.

LAN Watch - Triggers an alarm when the LAN Watch scan detects a new device connected to the machine's LAN.

Script Failure - Triggers an alarm when a script fails to execute on a managed machine.

Protection Violations - Triggers an alarm when selected security breaches occur on a managed machine: Distributed file changed on agent and was updated, File access violation detected, and Network access violation detected.

New Agent installed - Triggers an alarm when a new agent is installed on a managed machine in the selected groups.

Patch Alert - This same alert can be set using Patch Mgmt > Patch Alert. The system sends the selected administrator an email alert whenever Scan Machine discovers one of four different patch alert cases.

  • A new patch is available for the selected machine ID.
  • A patch installation failed on the selected machine ID.
  • The agent credential is invalid or missing for the selected machine ID.

Backup Alerts - This same alert can be set using Backup > Backup Alert. Triggers an alert when a backup succeeds, fails, or is skipped.

System Alerts - Triggers an alarm when selected events occur on the KServer: the administrator account is disabled or the KServer stopped. Selecting System Alerts does not display a managed machine list. The events listed only apply to the KServer. This option only displays for master administrators.

Add/Replace/Remove

Some alert functions include Add and Replace options and a Remove button.

  • Add - Adds alert parameters to selected machine IDs when Apply is selected without clearing existing parameters.
  • Replace - Replaces alert parameters on selected machine IDs when Apply is selected.
  • Remove - Clear alert parameters from selected machine IDs. Click the edit icon next to a machine ID group first to select the alert parameters you want to clear.

Apply

Click Apply to apply alert parameters to selected machine IDs. Confirm the information has been applied correctly in the machine ID list.

Clear

Click Clear to remove all parameter settings from selected machine IDs.

Copy

Only active when Summary is selected. Copy takes all the alerts settings for a single machine ID, selected by clicking the this machine ID link, and applies these same settings to all other checked machine IDs.

Create Alarm

The Create Alarm check box is always checked. This creates an alarm for the selected alert function.

Create Ticket

If checked a new ticket is generated at the same time the alarm is created and associated with the alarm.

Run Script after alert

If checked, a script is run when an alert is triggered. You must click the select script link to choose a script to run. You can optionally direct the script to run on a specified range of machine IDs by clicking this machine ID link. These specified machine IDs do not have to match the machine ID that triggered the alert.

Email Recipients

If checked, alert emails are sent to the specified email addresses.

  • The email address of the currently logged in administrator displays in this field. It defaults from the System > Preferences.
  • Click Format Email to display the Format Alert Email popup window. This window enables you to format the display of emails generated by the system when an alarm is triggered.
  • If the Add to current list radio option is selected, when Apply is clicked alert settings are applied and the specified email addresses are added to selected machine IDs without removing previously assigned email addresses.
  • If the Replace list radio option is selected, when Apply is clicked alert settings are applied and the specified email addresses replace the existing email addresses assigned to machine IDs.
  • If Removed is clicked, all email addresses are removed from selected machine IDs without modifying any alert parameters.
  • Email is sent directly from the KServer to the email address specified in the alert. The SMTP service in IIS sends the email directly to the address specified. Set the From Address using the System > Configurete page.

Select All/Unselect All

Click the Select All link to check all rows on the page. Click the Unselect All link to uncheck all rows on the page.

Check-in status

These icons indicate the agent check-in status of each managed machine:

Agent has checked in

Agent has not recently checked in

Agent has never checked in

Online but waiting for first audit to complete

The agent is online but remote control is disabled

Edit

Click a row's edit icon to populate header parameters with values from that row. You can edit these values in the header and re-apply them.

Machine ID.Group ID

The list of Machine ID.Group IDs displayed is based on the Machine ID / Group ID filter and the machine groups the administrator is authorized to see using System > Group Access.

Note: Selecting System Alerts does not display a managed machine list. The events listed only apply to the KServer.

Email Address

A comma separated list of email addresses where notifications are sent.

Topic 2187: Send Feedback