Introduction to EventSources
EventSources can take two forms:
- Templates that define asynchronous messages received by the Collector and used to trigger alerts.
- Templates that define how to collect and monitor textual data. This differs from DataSources, which collect numerical data.
EventSources monitor for the following types of events:
- IPMI event log events
- SNMP traps
- Windows event logs
- Syslog events
Creating an EventSource
EventSources are managed from Settings | EventSources. You can add an EventSource to your account using one of three methods:
- Importing an EventSource from LogicMonitor's repository (Add | From LogicMonitor repository)
- Importing an EventSource from XML (see Importing/Exporting XML LogicModules for more details)
- Configuring a Brand New EventSource (discussed next)
Configuring a New EventSource
You can add a new EventSource from Settings | EventSources | Add | EventSource. There are three categories of settings that must be established in order to configure a new EventSource:
- General Information
- Collector Attributes
- Alert Settings
The settings in these three categories collectively determine the type of EventSource, which devices the EventSource will be applied to, and the conditions that must exist in order for the EventSource to trigger an alert.
In the General Information area of an EventSource's configurations, complete the basic settings for your new EventSource. These settings are global across all types of EventSources.
Name and Description
Enter a name and description for your EventSource in the Name and Description fields
Enter technical notes associated with this EventSource into the Technical Notes field. These notes can include an overview of the EventSource purpose, filters, and so on.
Click the Wizard button to use LogicMonitor's Apply to wizard to write an AppliesTo script that defines the devices to which your EventSource will be applied. Once written, you can test the script to receive a count (and list) of all matching resources. For more information on AppliesTo scripting and functions, see LogicModule AppliesTo Functions.
There are up to 10 types of EventSources available from the Type field's dropdown menu, but only five of these should ever be created as custom EventSources: Log File, SNMP Trap, SysLog, Windows Event Logging, and Script. (The other five support LM Cloud and are used for monitoring the status pages of public cloud providers. These EventSources are pre-built for the various public cloud providers and LogicMonitor does not recommend creating custom EventSources for this purpose.)
Depending upon the EventSource you are creating (defined by the Type field), you will see variations in the configurations that must be established, notably in the Collector Attributes and Filters configuration areas, which are discussed in the following sections.
Note: You cannot edit the Type of an EventSource once it has been saved.
In the Group field, select the EventSource group to which this EventSource will be assigned. If no group is specified, the EventSource will be placed in the default "@ungrouped" group. If you specify a group name that doesn't exist, that group will be created.
Collector attributes are only required for Log File and Script EventSources. These attributes exist to provide additional detail on how custom events will be accessed. See Log File Monitoring and Script EventSources respectively for more information on setting Collector attributes.
If you add filters, events must meet the filter criteria in order to be detected and alerted on. Available filtering options will change depending on your EventSource type; see the support article dedicated to the EventSource type you are creating for more details on filtering events.
LogicMonitor supports IN filters for EventSources, which allow you to include a list of individual events (e.g. IN 1 | 3 | 23). We also include an equivalent operator NOT IN for excluding a specific set of events (e.g. NOT IN 2 | 34 | 25).
As you're defining filters, you can use the Test Event Logging button to perform test runs of your Log File, SNMP Trap, Syslog, and Windows Event Log EventSources to ensure events are being filtered and captured as you intended. You can also use the testing capability before any filters are defined in order to return all messages from a device and use this information to determine the parameter values that should be filtered on. See Testing EventSources for more information on testing EventSources.
If you are creating a Script, SNMP Trap, or Windows Event Log EventSource, the first field you see here is one related to the level/severity of alert that is triggered. These fields are unique to your EventSource type; see the support article dedicated to the EventSource type you are creating for more details on setting alert level.
Regardless of EventSource type, the Clear After, Alert Subject, and Alert Message fields, discussed next, are always present in the Alert Settings area.
The Clear After field allows you to define, in minutes, how long an alert triggered for this EventSource will remain active before it auto clears. By default, LogicMonitor sets this interval to 60 minutes, but you can reduce it (down to a minimum of five minutes) if desired. Checking the Acknowledgement option immediately below the Clear After field allows you to manually clear the EventSource alert once it is acknowledged.
Note: Unlike alerts triggered by datapoints, no alert clear notifications are sent when an EventSource alert clears. However, the "Cleared On" column found in the alert table will display a timestamp representing when the EventSource alert was cleared.
LogicMonitor automatically suppresses some duplicate EventSource alerts received within the time range identified by the Clear After field. This is intended to streamline your experience and prevent you from being continuously alerted to the same event. Whether LogicMonitor suppresses duplicate alerts depends upon the type of EventSource:
- Log File. Duplicate alerts for Log File EventSources are suppressed for the duration of the interval set in the Clear After field.
- SNMP Trap. Duplicate alerts for SNMP Trap EventSources are never suppressed.
- Syslog. Duplicate alerts for Syslog EventSources (deemed duplicate if host, application name, and message are identical) are suppressed for the duration of the interval set in the Clear After field.
- Windows Event Log. Duplicate alerts for Windows Event Log EventSources (deemed duplicate if the host and EventID are identical) are suppressed for the duration of the interval set in the Clear After field.
- Script. The suppression of duplicate alerts for Script EventSources is controlled by the alerts per host. If alerts are suppressed, you should see Collector events on the collector such as "SEC: reaches threshold for."
Note: If you are seeing too many duplicate alerts for Log File, Syslog, or Windows Event Log EventSources, consider lengthening the time of the Clear After interval.
Alert Subject and Message
Filling out one or both of these fields will override the default EventSource alert notification subject and/or message (as established in the alert message template) for this particular EventSource. You can choose to customize the alert subject or message using tokens, as discussed in Tokens Available in LogicModule Alert Messages.
Note: EventSource alerts automatically display in the LogicMonitor interface, but alert notification via email, text, or other method must be configured through alert rules, as discussed in Alert Rules.