How to continuously alert on specific triggered rules in Monitor Solution 6.x

Article:HOWTO9245  |  Created: 2008-07-11  |  Updated: 2011-01-20  |  Article URL http://www.symantec.com/docs/HOWTO9245
Article Type
How To



Current Monitor Solution architecture allows for an action to occur when a rule is triggered, but can you schedule an action to occur continuously, or at a specific time, for rules which are already triggered?

 

Environment

Monitor Solution for Servers 6.x

 

Solution

Leverage the combination of a SQL script and an Notification Policy to return the rows of specific triggered rules and execute an Automated Action based on the rows returned. The following steps outline how to continuously send an e-mail alert based on specific criteria for currently triggered rules:

 

  1. Identify the desired criteria from the SQL examples below and adjust them accordingly:
      
    All Currently Triggered Rules
     
    SELECT vc.[Name] [Machine Name], t.[Rule Name], mtr.[Rule State],
           t.[_eventTime] [Event Time] FROM (
                  SELECT [_ResourceGuid], [Rule Name], MAX([_eventTime]) [_eventTime]
                  FROM Evt_AeX_Monitor_Triggered_Rules
                  GROUP BY [_ResourceGuid], [Rule Name]) t
    INNER JOIN Evt_AeX_Monitor_Triggered_Rules mtr 
    ON (t.[_eventTime] = mtr.[_eventTime]
           AND t.[Rule Name] = mtr.[Rule Name]
           AND t.[_ResourceGuid] = mtr.[_ResourceGuid])
    INNER JOIN vComputer vc
    ON mtr.[_ResourceGuid] = vc.[Guid]
    WHERE mtr.[Triggered] = 'True'
    AND mtr.[Rule State] != 'Normal'
    ORDER BY mtr.[_eventTime] DESC
     
     
    Current Triggered Rules for a Specific Rule
     
    SELECT vc.[Name] [Machine Name], t.[Rule Name], mtr.[Rule State],
           t.[_eventTime] [Event Time] FROM (
                  SELECT [_ResourceGuid], [Rule Name], MAX([_eventTime]) [_eventTime]
                  FROM Evt_AeX_Monitor_Triggered_Rules
                  GROUP BY [_ResourceGuid], [Rule Name]) t
    INNER JOIN Evt_AeX_Monitor_Triggered_Rules mtr 
    ON (t.[_eventTime] = mtr.[_eventTime]
           AND t.[Rule Name] = mtr.[Rule Name]
           AND t.[_ResourceGuid] = mtr.[_ResourceGuid])
    INNER JOIN vComputer vc
    ON mtr.[_ResourceGuid] = vc.[Guid]
    WHERE mtr.[Triggered] = 'True'
    AND mtr.[Rule State] != 'Normal'
    AND mtr.[Rule Name] = 'Physical Memory - Excessively low physical memory remains available Linux'
    ORDER BY mtr.[_eventTime] DESC
     
     
    Current Triggered Rules for a Specific Resource
     
    SELECT vc.[Name] [Machine Name], t.[Rule Name], mtr.[Rule State],
           t.[_eventTime] [Event Time] FROM (
                  SELECT [_ResourceGuid], [Rule Name], MAX([_eventTime]) [_eventTime]
                  FROM Evt_AeX_Monitor_Triggered_Rules
                  GROUP BY [_ResourceGuid], [Rule Name]) t
    INNER JOIN Evt_AeX_Monitor_Triggered_Rules mtr 
    ON (t.[_eventTime] = mtr.[_eventTime]
           AND t.[Rule Name] = mtr.[Rule Name]
           AND t.[_ResourceGuid] = mtr.[_ResourceGuid])
    INNER JOIN vComputer vc
    ON mtr.[_ResourceGuid] = vc.[Guid]
    WHERE mtr.[Triggered] = 'True'
    AND mtr.[Rule State] != 'Normal'
    AND vc.[Name] = 'WESS-SQL1'
    ORDER BY mtr.[_eventTime] DESC
     
     
    Current Triggered Rules from the past 5 days
     
     
    SELECT vc.[Name] [Machine Name], t.[Rule Name], mtr.[Rule State],
           t.[_eventTime] [Event Time] FROM (
                  SELECT [_ResourceGuid], [Rule Name], MAX([_eventTime]) [_eventTime]
                  FROM Evt_AeX_Monitor_Triggered_Rules
                  GROUP BY [_ResourceGuid], [Rule Name]) t
    INNER JOIN Evt_AeX_Monitor_Triggered_Rules mtr 
    ON (t.[_eventTime] = mtr.[_eventTime]
           AND t.[Rule Name] = mtr.[Rule Name]
           AND t.[_ResourceGuid] = mtr.[_ResourceGuid])
    INNER JOIN vComputer vc
    ON mtr.[_ResourceGuid] = vc.[Guid]
    WHERE mtr.[Triggered] = 'True'
    AND mtr.[Rule State] != 'Normal'
    AND DATEDIFF(DAY, mtr.[_eventTime], GETDATE()) <= 5
    ORDER BY mtr.[_eventTime] DESC 
      
      
  2. In the Altiris Console 6.0, go to Tasks > Monitoring > Monitor Solution
      
  3. Right-click Notification Policies and choose New > Notification Policy
      
  4. Name the new Notification Policy something appropriate, for Source choose Query, then click Create Query
      
  5. In the Begin a Query window, choose Edit SQL Directly
      
  6. Enter the desired SQL query as referenced above in the text box
      
  7. Choose Run to ensure the query executes successfully and the results are correct, then choose Finish
      
  8. Adjust the schedule to the desired alert interval
      
    Example:  Custom Schedule: Every 1 hours from 11:10 AM for 23 hours every 1 days, starting Thursday, June 26, 2008
      
  9. Create and configure the appropriate Automated Action to occur at each scheduled interval then choose OK
      
    Note:  When choosing E-mail Automated Action, ensure that it is Enabled, and for the "Message:" contents enter:  %Results%
      
    Choosing "Only Once" will send a single e-mail, and choosing Once Per Row will send a separate e-mail for each triggered rule
      
  10. Enable the Notification Policy, choose Apply, then choose Test Notification Policy to ensure the entire Notification Policy functioned correctly

 


Legacy ID



43093


Article URL http://www.symantec.com/docs/HOWTO9245


Terms of use for this information are found in Legal Notices