MonitorWare Knowledge Base

Hi

Problem:

Every night all the Servers boot automatically. 3 Events are logged.
Event ID 6006, then Event ID 6009 and then Event ID 6005.

Now, if one server does not boot, this 3 entries are not logged. But exactly this is the condition for a action we need (Reboot Server).

We do not have found a solution, but i think this is a new challenge for you

Kind regards

Hello,

this is indeed a challenge Let me start asking some questions:

#1 Is there a specific point in time (or time window) when these events
must occur?

#2 Which logs do these events occur in - I guess System event log,
but I would like to make sure...

#3 Is MonitorWare Agent restarted during normal operations
WITHOUT a server restart?

Question #3 is especially important as I think we can only mange this via status variables. However, none of the current builds preserves them over an agent restart (and doing this is not as trivial as it sounds ).

Looking forward to your reply,
Rainer Gerhards
Adiscon

Hi

#1: between 01:30 and 02:00 h

#2: System is correct

#3: no

Kind regards

Hi

Any idea ?

Kind regards

Sorry, still working. Please bear one more day or two with us...

Rainer

I think we are coming close, though the config is somewhat tricky. Could you please let me know which log the mentioned event IDs must appear in (Application I guess - right?).

Rainer

Ok, just to let you know that something is actually going on We've just written the overview of how this will work. We will create a config during the day. But maybe the overview is already interesting, so here it is:

####
This is more or less a general description of how the rule set works.

The events are tracked by status variables. They are named "Occured<EventID>" where <EventID> is the ID of the event we are looking at (e.g. 6006). These variables are either set to 0 (event did not yet occur) or 1 (event occured). The variables are reset (0) each day at around midnight (time window A). Then, they are set (1) if the specific event occurs within the time frame where it must occur (time window B). Even a bit later, we check if the variable is set. And if it is NOT, we can initiate notification action (time window C).

The tricky part is to look at the events at specific time periods. We do this with the help of a heartbeat service. That service is configured to run sufficiently often (15 minutes in our case), so that we will have at least one heartbeat during each time frame. Please note that the heartbeat event itself will simply be ignored - it is just used to keep the process running.

For obvious reasons, we also need an Event Log monitor.

Time windows A) and C) are bound to the heartbeat service. Time window B) needs to be bound to the event log monitor. Please note that this can also be done in an already existing rule set for an event log monitor. The time windows must be specified in filter conditions.
####

Rainer

Hi

Sorry i only now have seen your question

So each boot makes 3 entries in SYSTEM EventLog

Source: EventLog ID:6006
Source: EventLog ID:6009
Source: EventLog ID:6005

Kind regards

Hello,

a collague created a rough draft configuration. You can download it from

http://www.adiscon.org/downloads/Missin ... -10-06.zip (case-sensitive)

Please note that he did not check the event log type - we'll add this later on. I did not yet run an extended test on it (I need a night ), but I am pretty sure that it works. I'd appreciate if you could have a look at it.

Rainer

Hi

I will try this tomorrow morning and give you e feedback.

Thanks a lot and kind regards

Hi

Your are great. It's working. I have received a message "One of the events is missing"

We will continue to implement this, the action will be a reboot.

Thank's and kind regards