Missing event detection problem
We have a problem with missing event detections. We have two event id's on a single server we need to see in a specific time frame. One is usually finished at 00:02 and the other at 00:45
We have created two (almost identical) monitors, with a timed reset of the state after 1 hour (without closing the alert). The monitor for the first event detects between 12:00 AM and 01:15 AM and the second between 12:01 AM and 01:15 AM
Now the second rule always fires correctly (only when missing), but the first one (for the even generated around 00:02 AM) sometimes fires (2 a 3 times a week), even when an alert is generated in the given time frame. Since the alert gets detected
on all other days, I assume the event configuration is set correctly. And there seems to be no logic in the days when an event is incorrectly reported as missing, so I also assume my missing event time frame is set correclty for all days. And off course I
double checked and compared to the correct working rule (I can't find any misconfigurations).
We looked at the generated alerts which were incorrectly reported as missing. But no logic can be found (sometimes the alert is just after 00:02 and sometimes just before 00:02) and no specific days can be filtered when the alert is incorrectly reported.
It looks like the monitor is not working correctly when an alert is generated just after 12:00 AM (or at least a specific, unknown to me, timeframe).
We also tried for the first event to let the rule detect over two days (starting at 11:30 PM the day before and ending at 00:30 the day after midnight), but this doesn't seems to have any effect.
Any suggestions or known issues?
Regards,
Marc Klaver
http://jama00.wordpress.com/
October 19th, 2010 9:17am
Hi Marc,
Did you check the event log to see if the time of the event there is not within 12.00 and 01.15 AM? Is the time the only difference between the two monitors? Or are there any other differences?
Thanks,
ShreedeviThis posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm
Free Windows Admin Tool Kit Click here and download it now
October 19th, 2010 11:14pm
Hi Shreedevi,
thanks for your reply.
Yes the alerts are within the specified time frame (so the alert should not be generated) and the two monitors differ in time (1 minute) and event id (but do have the same event source).
Regards,
Marc Klaver
http://jama00.wordpress.com/
October 21st, 2010 8:07pm
It is confirmed to be a bug in the agent and scheduled to be fixed in CU5...... Until then a workaround should be created by running a WMI script, which will detect the missing event.Regards,
Marc Klaver
http://jama00.wordpress.com/
Free Windows Admin Tool Kit Click here and download it now
November 29th, 2010 12:17pm