Jump to content


Photo

Collective Report vs Individual Alerts


  • Please log in to reply
3 replies to this topic

#1 jfarmer

jfarmer

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 22 October 2018 - 08:54 PM

Hello,

 

I'm new to Netwrix products, so please forgive me if I'm asking an extremely simple question. I am currently working on recreating reports and alerts that my company had in a previous product, most of the items have been extremely straightforward and better than our last product.

 

One thing I can't seem to figure out is a reboot report. We have a reboot script that runs each night, and there are certain servers that we like to verify were successfully rebooted. Now the live alerts with the event log manager are amazing, but this would mean an individual alert for 20 servers, which can become overwhelming. I see there's an option for the alert to only happen after a set number of times, but that doesn't help. If there are 10 servers and I say "only send after 10 events", then we wouldn't get a report if one missed and that's exactly what we'd want to know.

 

I've looked at the report options in the Auditor piece, and I do see there's a reboot/shut down report, but this isn't pulling the event I want to pull. I've tried using the search option to create a report, but this hasn't been successful. I feel like I'm missing something, and I'm going to guess it's something extremely obvious.

 

If there's any guidance, assistance, or advice someone could offer me that would be greatly appreciated. Thank you!



#2 rihuka

rihuka

    Advanced Member

  • Administrators
  • PipPipPip
  • 43 posts
  • Gender:Male

Posted 23 October 2018 - 10:18 AM

Hi there,

 

There are two options to receive alerts separately for each server:

1. Have separated monitoring plan(MP) with one server per each MP;

2. Have separated alert withing the same MP, however you should specify the appropriate host name in the Computer field(see screenshot), it should be the same like in the event(see screenshot).

 

As far as I know there is no event id exactly related to the server reboot, however there can be used the following event id of System event log:

Event ID 6005 “The event log service was started”. - This is related to system startup.
Event ID 6006 “The event log service was stopped”. - This is related to system shutdown.
 
In regards of reporting there are only reports of "Windows Server\Event Log" group are working, Search does not show data of Event Log, because Event Log is considered as legacy product and is not compatible with Search.
 
The section "11.4. Monitor Events with Netwrix Auditor Event Log Manager" on p. #110 may help you configuring Event Log Manager, the direct link of documentation below: 

Attached Files


Best regards,
Kirill Kirkov
T2 Support Engineer
 

#3 jfarmer

jfarmer

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 23 October 2018 - 11:43 AM

Thank you for the response. I apologize if I wasn't clear in what I'm looking to do, so let me try again.

 

I have the separate alerts working, that's all fine, but that results in one email for each alert. If there are 10 servers, there would be 10 emails, etc. While 10 may not seem all that difficult to manage, when you approach 30-50 individual emails each morning, that can become tough to filter through. I would like to create a report based on a monitoring group, example would be something like Citrix servers, and in that report have all of the reboot events listed for the servers in that group.

 

Because we kick off our reboots based on a script, we have event ID 1074 occur with a specific username. That is the event I am trying to pull into a report, or a collective email. If there are 10 Citrix servers that are supposed to reboot, and all 10 reboot, I want an email that lists all 10. If only 9 of the 10 reboot, I want a report that lists the 9 that were successful.

 

I hope I've explained what I'm looking to create a bit clearer, but please let me know if there's something that doesn't make sense or needs further explanation.

 

Also, if it's not possible to do this in a report or list format, is there another way to generate an email with this information in one email?



#4 rihuka

rihuka

    Advanced Member

  • Administrators
  • PipPipPip
  • 43 posts
  • Gender:Male

Posted 23 October 2018 - 01:12 PM

My bad, I thought you would like to review separated email, well in this case you should have one MP with all target servers specified as items and have one alert for the event ID 1074, eventually all collected events will be listed within one email.

 

I would also change the frequency of the data collection by default it is 10 minutes:

Task Scheduler > Task Scheduler Library > Event Log Manager Task > Edit Trigger > Repeat task every: 10 minutes > Depending on how often the target server is restarted, I would say twice a day, in this case the value should be "12 hours".

 

So twice a day you should receive the email with the events from all target servers.


Best regards,
Kirill Kirkov
T2 Support Engineer
 




0 user(s) are reading this topic

0 members, guests, anonymous users