HeartBeat alerts

edited May 2014 in General
Is there a way to create Heartbeat groups that will notify different people? I'd like to have multiple Heartbeat groups of computers to send Heartbeat only alerts to different people. From what I can tell this is not possible. The manual also states "All of the (HeartBeat) settings apply to all computers in all groups and cannot be changed on a per-group or
per-host level. This seems like a big limitation for such a versatile product. Thanks for any help.

Comments

  • HI John,

    Our Heartbeat service runs on the management console machine, and writes all warnings & errors to the application log of the management console machine. In our default configuration, we have one package for heartbeat alerts to be sent through one email action.

    If you wanted different people to be alerted for different machines, you could create email actions for these people and then separate include filters associated with these actions for the computers you want those people to be notified about.

    Does that make sense?

    Steven
  • edited May 2014
    Sort of. I am very new to EventSentry. Are there any real world examples posted online that I can reference? Thanks for the quick reply.
  • HI John,

    Just to clear things up, when looking at the heartbeat events it will include the hostname and group name. You can then use the "Content Filter" with our insertion strings to create filters for each group. You can look up the insertion strings for our events & most others by going to Tools > Utilities > Event Message Browser. Here is an example of the event for the agent status changing (Event ID 11001):

    Host %1 (%2) changed its AGENT status from %3 to %4. The reason for the status change was: "%5".

    In the content filter, you could choose Insertion string 2 equals and then the group name. Now any heartbeat event for that group will go to the group of people you added to the new email action you created.

    Hope this additional information helps. If you get stuck, please don't hesitate to let us know.
    Steven
  • I've figured out how to do filters for certain events to certain people, but what if the service I want to monitor doesn't have an agent. For instance, I want to use a Heartbeat alert to monitor a website over Port 80. If I make a regular filter, I can't add the Port 80 option to it like I can in a Heartbeat folder. My test filter has Event Source=EventSentry, Category=Heartbeat Monitoring, Event ID=11000, Computer=My EventSentry server. Wildcard = *http://www.website.com*
    When I turn off the website I don't get alerted like I did when this was a true Heartbeat event.
  • Hi John,

    The filter rules should work the same exact way for heartbeat events and non-heartbeat events. What you described above should work, as long as the package in which the event log filter you created is assigned to the server running the EventSentry Heartbeat Monitor service.

    Did you verify that the actual heartbeat event is being written to the Application event log?

    Also, by using Steven's approach from May 27, you should be able to filter based on the port number as well.

    Finally, you can right-click any event in the EventSentry event viewer, and select "test against filter rules" and check the "verbose" option. It will show you all filters, and whether they match or not - and why.

    Does that help?
  • When I monitored the website as a Heartbeat event, it did write to the application log. I then Right Clicked on that event to create a new Filter. Perhaps I have the wildcard wrong? When I turned off the website, it did NOT write to the Application log.
  • I would start with analyzing why the HB event was not written in that case. When you turned the web site off, are you sure that port 80 was indeed closed?

    You can verify that either with telnet, or using the checktcp.exe utility from the EventSentry SysAdmin Tools (http://www.eventsentry.com/sysadmintools).

    If the event was not written then you wouldn't receive an alert via email.
  • I actually turned the server completely off. That's why I feel like something is wrong with my filter since it's not writing to the log. Do I have the correct Event ID? Is the Content Filter incorrect? I don't have to monitor port 80 if a regular ping will work.
  • The filters don't affect what is written to the log, the filters only affect what is processed from the logs, and subsequently forwarded/processed.

    When you turned the server off, did you see a heartbeat alert about the server being offline?
  • I only get a Heartbeat alert in the log when I add the web address to the Heartbeat folder and turn the server off. In this case, I removed the server from the Heartbeat folder and created a new filter in Packages>Event Logs.
  • When you say "Heartbeat Folder", do you mean the heartbeat group? If you remove a server from the heartbeat group, it will not be monitored anymore.

    What type of alert did you get so far?
  • Yes, I meant Heartbeat group. If I add the website to the Heartbeat group, I get an email alert to my default Heartbeat email address when I turn the server off. I want the alert for one particular server to go to someone else. So do I need to keep the website in the Heartbeat group AND create a new filter that points to the other user? I tried that and my other alert email didn't receive anything. My new filter did NOT match with verbose testing.
  • Yes, you would need to keep the server in one of your groups. Assuming you have an email action in place for the other user, you would then create an event log filter which would look for either the server name or the group name (if you want this to be more generic).

    The filter could either utilize a general wildcard, or use the insertion string 1 (host name) or 2 (group name) to match the event. The filter would need to have the other users' email action included.

    Does that help?

    Which field did not match when you did the filter rules test? You should see this in the "reason" column.
  • The Content didn't match in the rules test. For the wildcard can I use *http://www.website.com* ?
  • Can you post the content of the heartbeat alert here? You can obscure any host names of course.
  • This is the contents of the Heartbeat email I got. Is that what you want? Doesn't seem like I can upload a screenshot. Can we take this to a phone call?

    GRAINGERES 11002
    EventSentry Heartbeat Monitoring
    Application 12/18/2014 10:35:26 AM
    Error (Info) 15800

    Host website.com (Web) changed the status of TCP port 80 from OK to ERROR. The reason for the status change was: "Timeout. (TCP Port: 80)".
  • Most definitely, if you have an active maintenance agreement then you can call us anytime, we can also do an online meeting: http://www.eventsentry.com/support/request
Sign In or Register to comment.