locked
Trying to drop an Exchange 2010 critical alert down to a Warning RRS feed

  • Question

  • Hello,

    We are receiving the following critical alert from our Exchange 2010 mp, Number of items in retry table has been more than 30000 for 30 minutes. Which we are trying to drop down to a Warning while we troubleshoot the issue.

    So, following previous advise (I believe from Kevin Holman) – For the Exchange 2010 MP, never perform an override on the alerting Rule, because this can break the way the correlation engine works. Always find the associated monitor that the alerting rule is originating from and override that monitor.

    So... the monitor name is “KHI: Number of items in retry table has been more than 30000 for 30 minutes”.  I then created an override for the Severity parameter and changed it to a Warning.  But, the critical alerts are still being generated.

    I then decided to override the Rule just to see if that would work.  The rule name is KHI: Number of items in retry table has been more than 30000 for 30 minutes.  When I look at the Severity parameter the default value is $Data/EventData/CorrelatedContext/RootCause/Severity$.   I then created an override and changed this to a 1 (which is equivalent to a Warning).  But, the critical alerts are still being generated.

    How can I drop this down to a Warning?

    Thanks,

    Tom

     

     


    Tom Martin Email: tmartin@caa.com
    Thursday, July 28, 2011 6:01 PM

Answers

  • I'm not quite sure it's clear, but when changing the severity of an alert in the Exchange 2010 MP, first, find the rule that targets the RMS:

     

    Then, when you need to target the override at the RMS and not the Exchange class. When you select Override, select "For all objects of another class" and then select Root Management Server; set severity to 1.

     

     

     


    "Fear disturbs your concentration"
    • Marked as answer by martit01 Thursday, November 3, 2011 6:28 PM
    Thursday, November 3, 2011 5:10 PM

All replies

  • You may or may not be able to.  Depends.  The approach you should take is to click on the alert, then right click, and then create override.  This will cause the override to apply to the correct rule.  The way the Exchange MP works is that monitors (which do not alert) change state.  These may have alert descriptions etc, but if alerting is disabled, those won't matter to your case.  The correlation engine then queries the OM DB rapidly, watching for a collection of related state changes.  When it sees an item of interest, it applies custom (unconfigurable) logic and decides to alert.  To alert, it writes and event to the Event Log and then a custom matching rule that triggers the alert is fired.

    If you can find that rule that is triggered by the event, you will have the one to override.

     


    Microsoft Corporation
    Thursday, July 28, 2011 7:11 PM
  • Hello Dan,

    When I select and right click on the alert I choose Override | For all objects of class: Database Search Copy Indexed.  At this point I'm presented with only three Parameters to override for this Rule: Enabled, Priority and Severity.  The Default Value for Severity is $Data/EventData/CorrelatedContext/RootCause/Severity$. Knowing that my goal is to override this alert to a Warnign I check mark Severity and configure the Override Value to a 1 (=Warning).  But, it still generates a Critical...?

    Thanks,

    Tom


    Tom Martin Email: tmartin@caa.com
    Thursday, July 28, 2011 10:39 PM
  •  

    Hi Tom,

     

    Regarding overriding alert severity and priority, I would like to share the following post with you for your reference:

     

    Alert Severity and Priority use with override

    http://blogs.msdn.com/b/mariussutara/archive/2007/12/17/alert-severity-and-priority-use-with-override.aspx

     

    Hope this helps.

     

    Thanks.
    Nicholas Li - MSFT
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, August 1, 2011 6:05 AM
  • Hi Nicholas,

    Thanks for the suggestion, but this is how I performed the override already on the Monitor and the alerting Rule itself.  But, it's still alerting as a Critical.  This appears to be an issue with the Exchange 2010 MP.

    Thanks,

    Tom


    Tom Martin Email: tmartin@caa.com
    Tuesday, August 2, 2011 12:18 AM
  •  

    Hi,

     

    Thank you for your update.

     

    At this time, please try clearing the HealthService queue on the monitored Exchange Server:

     

    1.    Stop System Center Management service.

    2.    Go to C:\Program Files\System Center Operations Manager 2007\, and rename the “Health Service State” folder.

    3.    Restart System Center Management service.

     

    You can also try the Effective Configuration Viewer to check the issue:

     

    SC Ops Mgr 2007 Resource Kit – Effective Configuration Viewer

    http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=6742

     

    Hope this helps.

     

    Thanks.
    Nicholas Li - MSFT
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Proposed as answer by Nicholas Li Friday, August 5, 2011 5:26 AM
    • Marked as answer by Nicholas Li Friday, August 5, 2011 10:22 AM
    • Unmarked as answer by martit01 Thursday, November 3, 2011 6:28 PM
    Tuesday, August 2, 2011 9:36 AM
  • Hello,

    We are receiving the following critical alert from our Exchange 2010 mp, Number of items in retry table has been more than 30000 for 30 minutes. Which we are trying to drop down to a Warning while we troubleshoot the issue.

    So, following previous advise (I believe from Kevin Holman) – For the Exchange 2010 MP, never perform an override on the alerting Rule, because this can break the way the correlation engine works. Always find the associated monitor that the alerting rule is originating from and override that monitor.

    So... the monitor name is “KHI: Number of items in retry table has been more than 30000 for 30 minutes”.  I then created an override for the Severity parameter and changed it to a Warning.  But, the critical alerts are still being generated.

    I then decided to override the Rule just to see if that would work.  The rule name is KHI: Number of items in retry table has been more than 30000 for 30 minutes.  When I look at the Severity parameter the default value is $Data/EventData/CorrelatedContext/RootCause/Severity$.   I then created an override and changed this to a 1 (which is equivalent to a Warning).  But, the critical alerts are still being generated.

    How can I drop this down to a Warning?

    Thanks,

    Tom

     

     


    Tom Martin Email: tmartin@caa.com

    Were you able to get a resolution to this? I also am experience this exact same problem.
    Thursday, November 3, 2011 2:06 PM
  •  

     

    Hi,

     

    Thank you for your update.

     

    At this time, please try clearing the HealthService queue on the monitored Exchange Server:

     

    1.    Stop System Center Management service.

    2.    Go to C:\Program Files\System Center Operations Manager 2007\, and rename the “Health Service State” folder.

    3.    Restart System Center Management service.

     

    You can also try the Effective Configuration Viewer to check the issue:

     

    SC Ops Mgr 2007 Resource Kit – Effective Configuration Viewer

    http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=6742

     

    Hope this helps.

     

    Thanks.
    Nicholas Li - MSFT
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    I have tried the suggested fix and still am having the same issue. As you can see below the override is completed. But above that they still come in as critical.

     

    Thursday, November 3, 2011 2:15 PM
  • not sure if it helps. try to restart SDK service and Exchange Correlation engine service. Both located on RMS
    Thursday, November 3, 2011 2:29 PM
  • oh. just realized. the rule mentioned is managed by RMS and you are trying to override it for foreign class "Database Search Copy Indexer" which is remotelly hosted not by RMS. I.e. your override is acting as Null one, does nothing

    try to change override target to "Root Management Server"

    Thursday, November 3, 2011 3:04 PM
  • oh. just realized. the rule mentioned is managed by RMS and you are trying to override it for foreign class "Database Search Copy Indexer" which is remotelly hosted not by RMS. I.e. your override is acting as Null one, does nothing

    try to change override target to "Root Management Server"

     

    This was already targetted to the RMS. See the capture.

     

    Thursday, November 3, 2011 4:39 PM
  • i mean overrides target, not rule's one

    Thursday, November 3, 2011 4:48 PM
  • i mean overrides target, not rule's one


    I've just made that change. I will let you know if it resolved the issue.

     

    Thanks.

    Thursday, November 3, 2011 4:58 PM
  • I'm not quite sure it's clear, but when changing the severity of an alert in the Exchange 2010 MP, first, find the rule that targets the RMS:

     

    Then, when you need to target the override at the RMS and not the Exchange class. When you select Override, select "For all objects of another class" and then select Root Management Server; set severity to 1.

     

     

     


    "Fear disturbs your concentration"
    • Marked as answer by martit01 Thursday, November 3, 2011 6:28 PM
    Thursday, November 3, 2011 5:10 PM
  • Setting the override to target the class RMS (or RMS Emulator) works.  I just confirmed this.

    EFD

    Tuesday, July 2, 2013 1:31 PM
  • Hello Andy,

    In this case, what if i want to override the rule only a set of exchange servers ? Like for example, i want to downgrade the severity from critical to warning only for my production exchange server and not for test exchange servers. How can i achieve this if i put an override on the RMS class ?

    Appreciate your response.

    -Prajul

    Thursday, March 24, 2016 12:41 PM