DX Infrastructure Management

Expand all | Collapse all

ntevl which happens first exclude or profile alarm

  • 1.  ntevl which happens first exclude or profile alarm

    Posted 08-09-2019 10:43 AM
    So question, we have a profile in our base ntevl probe that matches on the following:
    [PROFILES]

    [MSExchange]
          source = /(?i)MSExchange.*/
          event_id = 1003,1012,1112,..etc+..

    This captures many 'bad' MSExchange* related events from all sources that start with MSExchange. But it also captures one from the source: MSExchangeApplicationLogic with Event ID 1003 which is not a bad event. It's a 'success' event ID and we don't want to alert on it? 

    Instead of creating 25+ source exactly specific Event 1003 profiles, would adding this one source specific profile to the Exclude tab override and not cause the probe to alarm to get triggered from the Profiles tab?
    So if I added to the EXCLUDE tab:
    [EXCLUDE]
    [MSExchangeAppLogic1003Exclude]
          source = /(?i)MSExchangeApplicationLogic.*/
          event_id = 1003

    would this then NOT alarm even though it would match the condition in the profile tab?

    #ntevl #exclude #override



    ​​​​​​

    ------------------------------
    Daniel Blanco
    Enterprise Tools Architect
    Alphaserve Technologies
    ------------------------------


  • 2.  RE: ntevl which happens first exclude or profile alarm

    Posted 08-09-2019 10:49 AM
    that is exactly what I would expect it to do.
    because you added it to the exclude section, even though there is a match found it should not send an alarm.

    ------------------------------
    Gene Howard
    Principal Support Engineer
    Broadcom
    ------------------------------



  • 3.  RE: ntevl which happens first exclude or profile alarm

    Posted 08-09-2019 11:37 AM
    Okay thanks Gene. Yep this did exclude it. I tested with:

    C:\>eventcreate /SO MSExchangeTEST /ID 999 /D "This is a test MSExchange Message with Source MSEXchangeTest EvtID#999" /t ERROR /L Application

    The base profile alerted on this and then when created the specific profile in Exclude it no longer alerts. Cool. Thanks.

    ------------------------------
    Daniel Blanco
    Enterprise Tools Architect
    Alphaserve Technologies
    ------------------------------