DX Unified Infrastructure Management

So question, we have a profile in our base ntevl probe that matches on the following:
[PROFILES]

[MSExchange]
      source = /(?i)MSExchange.*/
      event_id = 1003,1012,1112,..etc+..

This captures many 'bad' MSExchange* related events from all sources that start with MSExchange. But it also captures one from the source: MSExchangeApplicationLogic with Event ID 1003 which is not a bad event. It's a 'success' event ID and we don't want to alert on it? 

Instead of creating 25+ source exactly specific Event 1003 profiles, would adding this one source specific profile to the Exclude tab override and not cause the probe to alarm to get triggered from the Profiles tab?
So if I added to the EXCLUDE tab:
[EXCLUDE]
[MSExchangeAppLogic1003Exclude]
      source = /(?i)MSExchangeApplicationLogic.*/
      event_id = 1003

would this then NOT alarm even though it would match the condition in the profile tab?

#ntevl #exclude #override



​​​​​​

------------------------------
Daniel Blanco
Enterprise Tools Architect
Alphaserve Technologies
------------------------------

that is exactly what I would expect it to do.
because you added it to the exclude section, even though there is a match found it should not send an alarm.

------------------------------
Gene Howard
Principal Support Engineer
Broadcom
------------------------------

Original Message:
Sent: 08-09-2019 10:43 AM
From: Daniel Blanco
Subject: ntevl which happens first exclude or profile alarm

So question, we have a profile in our base ntevl probe that matches on the following:
[PROFILES]

[MSExchange]
      source = /(?i)MSExchange.*/
      event_id = 1003,1012,1112,..etc+..

This captures many 'bad' MSExchange* related events from all sources that start with MSExchange. But it also captures one from the source: MSExchangeApplicationLogic with Event ID 1003 which is not a bad event. It's a 'success' event ID and we don't want to alert on it? 

Instead of creating 25+ source exactly specific Event 1003 profiles, would adding this one source specific profile to the Exclude tab override and not cause the probe to alarm to get triggered from the Profiles tab?
So if I added to the EXCLUDE tab:
[EXCLUDE]
[MSExchangeAppLogic1003Exclude]
      source = /(?i)MSExchangeApplicationLogic.*/
      event_id = 1003

would this then NOT alarm even though it would match the condition in the profile tab?

#ntevl #exclude #override



​​​​​​

------------------------------
Daniel Blanco
Enterprise Tools Architect
Alphaserve Technologies
------------------------------

Okay thanks Gene. Yep this did exclude it. I tested with:

C:\>eventcreate /SO MSExchangeTEST /ID 999 /D "This is a test MSExchange Message with Source MSEXchangeTest EvtID#999" /t ERROR /L Application

The base profile alerted on this and then when created the specific profile in Exclude it no longer alerts. Cool. Thanks.

------------------------------
Daniel Blanco
Enterprise Tools Architect
Alphaserve Technologies
------------------------------

Original Message:
Sent: 08-09-2019 10:48 AM
From: Gene HOWARD
Subject: ntevl which happens first exclude or profile alarm

that is exactly what I would expect it to do.
because you added it to the exclude section, even though there is a match found it should not send an alarm.

------------------------------
Gene Howard
Principal Support Engineer
Broadcom

Original Message:
Sent: 08-09-2019 10:43 AM
From: Daniel Blanco
Subject: ntevl which happens first exclude or profile alarm

So question, we have a profile in our base ntevl probe that matches on the following:
[PROFILES]

[MSExchange]
      source = /(?i)MSExchange.*/
      event_id = 1003,1012,1112,..etc+..

This captures many 'bad' MSExchange* related events from all sources that start with MSExchange. But it also captures one from the source: MSExchangeApplicationLogic with Event ID 1003 which is not a bad event. It's a 'success' event ID and we don't want to alert on it? 

Instead of creating 25+ source exactly specific Event 1003 profiles, would adding this one source specific profile to the Exclude tab override and not cause the probe to alarm to get triggered from the Profiles tab?
So if I added to the EXCLUDE tab:
[EXCLUDE]
[MSExchangeAppLogic1003Exclude]
      source = /(?i)MSExchangeApplicationLogic.*/
      event_id = 1003

would this then NOT alarm even though it would match the condition in the profile tab?

#ntevl #exclude #override



​​​​​​

------------------------------
Daniel Blanco
Enterprise Tools Architect
Alphaserve Technologies
------------------------------