Introduction to EventSources
EventSources can take two forms:
- Templates that define asynchronous messages received by the Collector and used to trigger alerts.
- Templates that define how to collect and monitor textual data. This differs from DataSources, which collect numerical data.
Monitoring for Log Files, SNMP traps, Windows Event Logs, Syslog, and Script events are all supported.
Creating an EventSource
EventSources are managed from Settings | EventSources. You can add an EventSource to your account using one of three methods:
- Importing an EventSource from LogicMonitor's repository (Add | From LogicMonitor repository)
- Importing an EventSource from XML (see Importing/Exporting XML LogicModules for more details)
- Configuring a Brand New EventSource (discussed next)
Configuring a Brand New EventSource
You can add a brand new EventSource from Settings | EventSources | Add | EventSource. As shown (and discussed) next, there are several general settings that must be established in order to configure a new EventSource. These settings determine the type of EventSource, which devices the EventSource will be applied to, and the conditions that must exist in order for the EventSource to trigger an alert.
Note: There are five types of EventSources: Log File, SNMP Trap, SysLog, Windows Event Logging, and Script. Depending upon the EventSource you are creating (defined by the Type field), you will see configuration variations. For more details about configurations that are specific to a single type of EventSource, see the individual support article dedicated to that EventSource type.
The name of the EventSource, as it will be displayed throughout your account.
The description of the EventSource.
Tag the EventSource with keywords (related to its name, purpose, scope, etc) that will facilitate a search for it.
This field can contain any technical notes associated with the BatchJob.
Defines the devices to which your EventSource will be applied. If using a custom query, you must complete this field with AppliesTo Scripting functions.
There are five types of EventSources: Log File, SNMP Trap, SysLog, Windows Event Logging, and Script.
More information about configuring each of these types is available here.
The EventSource group to which this EventSource will be assigned. If no group is specified, the EventSource will be placed in @ungrouped. If you specify a group that doesn't exist, that group will be created.
If you add filters, events must meet the filter criteria in order to be detected and added into your account. Available filtering options will change depending on your EventSource type, e.g. snmpVersion and Application filtering are unique to SNMP Trap and SysLog EventSources, respectively.
We support IN filters for EventSources, which allow you to include a list of individual events (e.g. IN 1 | 3 | 23). We also include an equivalent operator NOT IN for excluding a specific set of events (e.g. NOT IN 2 | 34 | 25).
The Clear After field allows you to define, in minutes, how long an alert triggered for this EventSource will remain active before it auto-clears. By default, LogicMonitor sets this interval to 60 minutes, but you can reduce it (down to a minimum of five minutes) if desired.
Checking the Acknowledgement option immediately below the Clear After field allows you to manually clear the EventSource alert once it is acknowledged.
LogicMonitor automatically suppresses some duplicate EventSource alerts received within the time range identified by the Clear After interval. This is intended to streamline your experience and prevent you from being continuously alerted to the same event. Whether LogicMonitor suppresses alerts depends upon the type of EventSource:
- Log File. Duplicate alerts for Log File EventSources are suppressed for the duration of the interval set in the Clear After field.
- SNMP Trap. Duplicate alerts for SNMP Trap EventSources are never suppressed.
- SysLog. Duplicate alerts for Syslog EventSources (deemed duplicate if host, application name, and message are identical) are suppressed for the duration of the interval set in the Clear After field.
- Windows Event Log. Duplicate alerts for Windows Event Log EventSources (deemed duplicate if the host and EventID are identical) are suppressed for the duration of the interval set in the Clear After field.
- Script. The suppression of duplicate alerts for Script EventSources is controlled by the alerts per host. If alerts are suppressed, you should see Collector events on the collector such as "SEC: reaches threshold for".
Note: If you are seeing too many duplicate alerts for Log File, Syslog, or Windows Event Log EventSources, consider lengthening the time of the Clear After interval.
Filling out this field will override the default EventSource alert subject that will be displayed in alert notifications for this EventSource.
EventSource alerts come with a default alert message. You can choose to customize the alert message using this list of available tokens.