Anonymous_User Absent Member.
Absent Member.
440 views

Event log jobs and picking up past events


Well I may be confused here but I have all of my event log jobs set to
the value of 0 so it doesn't go back and get old events. However I
have noticed when i stop the job and restart it at a later time that it
will still get older events and send email alerts. I thought the
setting was supposed to prevent this sort of thing from happening or am
I misunderstanding how it works?

The setting is "number of previous hours to scan"

thanks!


--
mhightower
------------------------------------------------------------------------
mhightower's Profile: https://forums.netiq.com/member.php?userid=5354
View this thread: https://forums.netiq.com/showthread.php?t=49055

0 Likes
2 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Event log jobs and picking up past events


mhightower;235966 Wrote:
> Well I may be confused here but I have all of my event log jobs set to
> the value of 0 so it doesn't go back and get old events. However I
> have noticed when i stop the job and restart it at a later time that it
> will still get older events and send email alerts. I thought the
> setting was supposed to prevent this sort of thing from happening or am
> I misunderstanding how it works?
>
> The setting is "number of previous hours to scan"
>
> thanks!


The behaviour you describe is by design. The Hours value of 0 means
since scan the Event Log the Job last ran - regardless of how long ago
that was. One way to avoid that behaviour when there is a big gap in the
monitoring is to deploy a new Job since on its first execution, the KS
does not scan for events but simply records the event log record number
so that the next time it executes it knows which entries are new. I
haven't tested it, but cold restarting the agent should have the same
effect as it wipes all the Jobs from the Agent.

If, however, you commonly have long gaps in the monitoring of the Event
Log and you don't want to alert for historic entries, then an
alternative is to use my custom Event Log KS. As well as having
additional capabilities that General_EventLog doesn't, such as the
ability to monitor multiple sets of search criteria in a single Job, it
also writes the Record Number to an INI file rather than storing in
memory. Not only does this mean that the KS can monitor server reboots
or crashes (which wipe the Recnums from memory thereby resetting the
standard KS), but the KS also has logic to delete the INI file after a
certain time to force a reset that brings the Job up to date without
alerting for historic entries. This enables you to configure the KS to
automatically skip historic alerts if the interval since the last time
the Event Log was checked is greater than the threshold, say 24 hours.
You can download the KS from the old forum site at
http://community.netiq.com/media/p/11752.aspx.


I hope this makes sense, but if not let me know.


--
Alain Salesse | Senior Technology Consultant | Alain.Salesse@NetIQ.com
------------------------------------------------------------------------
Alain.Salesse's Profile: https://forums.netiq.com/member.php?userid=3958
View this thread: https://forums.netiq.com/showthread.php?t=49055

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Event log jobs and picking up past events


Oh yes it all makes sense. I just wasn't figuring it out. Thanks for
clearing that up for me and also linking to your script. I'll
definitely check it out and see if I can incorporate it into my
monitoring.


--
mhightower
------------------------------------------------------------------------
mhightower's Profile: https://forums.netiq.com/member.php?userid=5354
View this thread: https://forums.netiq.com/showthread.php?t=49055

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.