Monitor Solution 7.5: Incorrect number of alerts triggered in Event Console by NT event rule
Last Updated June 11, 2015
1. An "NT event" rule was added to a Monitor policy to trigger alerts when a user logs into a managed computer. The rule is configured with "Set severityto: Informational" and "Reset severity using: Updated metric value"
2. The rule successfully triggers on a monitored machine but creates wrong number of alerts in Event Console.
3. Expected number of the triggered alerts is two. First alert should be triggered when the rule conditions are met and the second by an updated metric value. Nevertheless, 3 or 4 alerts are found in Event Console.
The are no errors in Altiris log.
The same scenario was tested in ITMS 7.1 SP2 MP1 environment. The "expected" number of alerts is generated, i.e. 2.
The cause of the issue is related (preliminary) to changes introduced to a so called "rule state machine" in Monitor Solution 7.5 branch.
The issue is currently under investigation.
A fix is targeted for ITMS 7.6 Hotfix 1.
In this specific scenario it was possible to set severity to normal and select "Treat condition as template" to work around the issue.
Below is another example of working around the issue:
1. Create a new Agent-Based monitor policy.
2. Click "Add" rule.
3. As the desired rule, does not exist, lets create a new one:
a. New "Event" NT rule;
b. Name (any), description (any), Category (Security);
c. New metrics Metric1 - EventID = 4624 (logon), and Metric2 - Logfile =
Security, and Metric3 - Description matches regular expression (?:(?!New
Same in XML
<value aggregate="Or" caseSensitive="false" operator="Equal">4624</value>
<property>EventID</property> </metric> -<metric guid="9601951e-b941-4d3c-8d9f-
aa09c195e0d7" operator="And"> <value aggregate="Or" caseSensitive="false"
operator="Equal">Security</value> <property>Logfile</property> </metric>
-<metric guid="9601951e-b941-4d3c-8d9f-aa09c195e0d7" operator="And"> <value
aggregate="Or" caseSensitive="false" operator="RegEx">(?:(?!New Logon:).)
d. Set severity to: Informational;
e. Reset severity using: Updated metric value.
f. "Treat condition as template" SHOULD be TICKED
g. All other fields can be default.
ITMS 7.5.x with Monitor Solution installed.
Imported Document ID: TECH228295
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe