locked
Correlated Event Detection Monitor with missing Event RRS feed

  • Question

  • Hi

    I have two Windows Event Log Events.
    If the first Event occurrence and the second event should occurence after max. 30 seconds, the monitor schould'n create an alert. If first event occurrences and the other event does not occurrence after 30 seconds, the monitor should create an alert.

    When the first event comes, and after 20 seconds it comes again, then the counter should still be on 20seconds and don't reset.

    I wanted to create a Missing Correlated Events Monitor. But the grafic in the wizard confuses me. Does anybody know which config the right is for my problem?

    Kind Regards

    Stately

    Thursday, April 30, 2020 12:25 PM

Answers

  • Hi,

    I believe the Correlated Missing Event Detection should work for you scenario, you would choose this one when you need an alert when you have “some correlation” between two events.

    For example:

    The first event occurs, then we’re expecting a second event to happen within 30 seconds of the first event, but the second event isn’t raised within the 30 seconds, then we'd like an alert.

    Here's what the different correlation options mean:

    The First Occurrence Of A With The Configured Occurrence Of B In Chronological Order
    This monitors for the event defined in Log A to occur, and then will monitor for the specified
    number of events defined in Log B to occur. When this number is not reached in the time frame specified,
    the monitor health will change to the defined state

    The First Occurrence Of A With The Configured Occurrence Of B, Or Vice Versa
    This monitors for the event defined in either log to occur, and then will monitor for the specified
    number of events defined from the other log to occur. When this number is not reached in the time
    frame specified, the monitor health will change to the defined state.

    The Last Occurrence Of A With The Configured Occurrence Of B In Chronological Order
    This monitors for the non-occurrence of the specified number of events from Log B since the last
    occurrence of the defined event from Log A, in the specified amount of time.

    The Last Occurrence Of A With The Configured Occurrence Of B, Or Vice Versa
    This monitors for the non-occurrence of the specified number of events from Log A or Log B in the last
    occurrence of the defined event from the other log file, in the specified amount of time.

    The First Occurrence Of A With The Configured Occurrence Of B Happens, Enable Interval Restart
    This monitors for the non-occurrence of the specified number of events from Log B to
    appear after the event from Log A has appeared. On each successive appearance of the event from Log A, the timer is reset.

    ----------------------------------------------------------------------------------------------------------

    So in your case the The First Occurrence Of A With The Configured Occurrence Of B In Chronological Order should work.

    On the correlation screen you have the correlation interval, this interval specifies how long to watch for the event pattern after receiving the first event.

    Best regards,
    Leon


    Blog: https://thesystemcenterblog.com LinkedIn:

    Thursday, April 30, 2020 2:51 PM

All replies

  • Hi,

    I believe the Correlated Missing Event Detection should work for you scenario, you would choose this one when you need an alert when you have “some correlation” between two events.

    For example:

    The first event occurs, then we’re expecting a second event to happen within 30 seconds of the first event, but the second event isn’t raised within the 30 seconds, then we'd like an alert.

    Here's what the different correlation options mean:

    The First Occurrence Of A With The Configured Occurrence Of B In Chronological Order
    This monitors for the event defined in Log A to occur, and then will monitor for the specified
    number of events defined in Log B to occur. When this number is not reached in the time frame specified,
    the monitor health will change to the defined state

    The First Occurrence Of A With The Configured Occurrence Of B, Or Vice Versa
    This monitors for the event defined in either log to occur, and then will monitor for the specified
    number of events defined from the other log to occur. When this number is not reached in the time
    frame specified, the monitor health will change to the defined state.

    The Last Occurrence Of A With The Configured Occurrence Of B In Chronological Order
    This monitors for the non-occurrence of the specified number of events from Log B since the last
    occurrence of the defined event from Log A, in the specified amount of time.

    The Last Occurrence Of A With The Configured Occurrence Of B, Or Vice Versa
    This monitors for the non-occurrence of the specified number of events from Log A or Log B in the last
    occurrence of the defined event from the other log file, in the specified amount of time.

    The First Occurrence Of A With The Configured Occurrence Of B Happens, Enable Interval Restart
    This monitors for the non-occurrence of the specified number of events from Log B to
    appear after the event from Log A has appeared. On each successive appearance of the event from Log A, the timer is reset.

    ----------------------------------------------------------------------------------------------------------

    So in your case the The First Occurrence Of A With The Configured Occurrence Of B In Chronological Order should work.

    On the correlation screen you have the correlation interval, this interval specifies how long to watch for the event pattern after receiving the first event.

    Best regards,
    Leon


    Blog: https://thesystemcenterblog.com LinkedIn:

    Thursday, April 30, 2020 2:51 PM
  • Hi Leon Laude,
    Thanks for your answer where I do have same scenario like StatelyElf, however mine is slightly different. My host is connecting to more than one application so there will be dedicated events occurring for each application. For example, event ids 96 and 97 occurs in chronological order when application is lost and restored. This is where we wanted to configure an alert when event 97 did not occur within 30 mins of time after event 96 occurrence. We do have application name in 'Parameter 5' of event details so we will have to segregate these events monitoring based on application name. I used 'Advanced options' given under 'Configure Correlation' section where I have mentioned expression like 'Parameter 5' equals 'Parameter 5'. Will it work if I do this way ?

    Wednesday, July 8, 2020 3:27 AM