Forum Discussion

BrianHale1's avatar
BrianHale1
8 years ago

Multiple Instance EventSources

ATTENTION: Lou

Hello,

I spoke to your Support team who let me know that the following request is not currently a feature that you have. I am looking to set up an EventSource that only fires after multiple instances of an error are identified in a Windows event log. I would like to be able to configure alert sensitivity so that I get a notification once 'X alert has been identified Y times in Z minutes within the event log'. This is a feature that competitors have shown to me in the past, and it ultimately would allow us to report on several issues that we cannot alert on today via LogicMonitor without receiving several false positive alerts.

Please let me know if you need any clarification of this request.

Thanks,
Brian Hale

1 Reply

Sort By
Replies have been turned off for this discussion
  • mnagel's avatar
    mnagel
    Icon for Professor rankProfessor
    8 years ago

    I agree Windows event handling really needs an overhaul. It would be probably a lot better to build out an ELK stack with a script eventsource to pull exceptions into LM, but I have to stand something up and give it a try.  Of course, this is not really feasible unless your collectors are sturdy enough to handle both LM and the log analysis.  Even with the basic Windows event source, normal filtering is too limited, and I have found it very difficult to successfully write a complex filter since there is no "Test" capability in the eventsource creator screen (would love to see this capability).  In your case, there have been other threads I've seen that requesting an "event repeat" counter, and this of course would work very well to limit alerting if the counter value was available to decide whether an alert should fire instead of the way alerts trigger now.  Ideally, a much more rich capability (e.g., like SEC or a limited correlation capability like nxlog-ce) would be welcome -- perhaps in addition to counters, an ability to record an event as active without an alert and to be able to reference that in another event check as a way to correlate before triggering alerts.

    Regards,

    Mark