We are receiving alerts for old event IDs, moreover its generating alerts for events with old information and that has been obsolete. it should generate alert with new details (backup fail alert).
How can we make sure that it wont pick up the old event from events so that there won't be any false alert as its causing issues with in the monitoring.
there is a backup position file that is created to track the last location read.
Sounds like something might be happening with this file.
You can check the following settings and try adjusting them to see if this helps
Disable continuous update of position file: allows you to update the position file at the specified interval.Default: Selected(Version 4.21 or earlier) This field is not selected, by default.
Important! This field must be enabled for both Poll Interval and Event Mode in case of higher event generation rate.
Enable Position File Backup Interval: allows the probe to back up the position file.Default: Not selected
Position File Backup Interval: defines the time interval when the probe backs up the position file.Default: 10 Seconds
Note: The probe keeps the backup of the position file during unexpected system reboot or system crash. In such cases, reboot alarms occur, but it is possible to get duplicate alarms for the specified time interval.
But should it not I would suggest contacting support.
Thanks a lot for such an elaborated answer and help as always, i made changes in "Position File Update Interval" to 60 seconds from 1 second.
Rest of the things looked ok, could you please confirm if it would make any difference as now it would change the position after 60 seconds and it won't be a frequent change of file update position as it was happening with 1 second interval.
Please help with other options which might help to eliminate or minimize this issue.
This will be kind of trial an error.
I would try 15 seconds at first and monitor and see how it goes.
Thanks a lot again for your clarification on the issue, so I will start with 15 seconds and if everything goes fine (no alert generates with old event or old event description) then we can stick to 15 seconds.
Could you please help me on more query related to logmon probe :
Usually we monitor log files with the configuration that of particular string found in log file then an event would be generated but if we want to configure log file monitoring in such a way that if particular string not found in file for some specific time in hours (for example 4 hours) then how we would configure that.
Currently with logmon or other log monitoring tools as each basically check a block of test or a single line for a string
Where it is possible in THEORY to write a Regex to check for something that is NOT there it is very difficult and usually very IO intensive to do all the checks necessary.
That coupled with lack of a time make this very hard if not impossible.
I have talked to other clients who use a script to check for a string and keep track of the time.
If an alarm needs to be generated based on the checks int he script either use nimalarm to generate the alarm or update a log file that logmon is watching to generate the alarm.