Navigation:  Event Log Monitoring > Recurring Events >

One Event per Day

 Top  Previous  Next

One problem with the way the recurring events feature currently works is that you cannot configure it to look for one or more events during a 24-hour time period - on a daily basis. This is because if you select/push all buttons, the recurring event filter doesn't know when your time period starts and ends, since it is the change from a raised to a pushed (and vice versa) that indicates this.

 

In order to be notified that one or more events do not occur at least once a day you will need to create two recurring event filters, one threshold filter and one exclude filter. You will also need to create a new package for the filters and configure the package to Ignore exclude filters from other packages.

 

In this example will make sure that the process notepad.exe is executed at least once a day.

 

Creating a filter package

Create a filter package by right-clicking the Filter Packages container. Once you have entered a name for the package, right-click the package and select Edit. Configure the package to ignore exclude filters from other packages.

 

clip0019

 

1st Recurring Event Filter

The first recurring event filter will look for your event between 12AM to 12PM and write an 10620 error to the event log if the event does not occur. We call this filter "1st Time Period".

 

clip0014

Figure 1: The general settings of our 1st recurring filter

 

clip0015

Figure 2: The Hour/Day settings, covering midnight to 12PM

 

2nd Recurring Event Filter

The second recurring event filter will look for your event between 12PM to 12AM and write an 10620 error to the event log if the event does not occur. The General tab of this filter has to look identical to that of your first recurring event filter, figure 1 in our example.

 

clip0016

Figure 3: The Hour/Day settings, covering 12PM to midnight

 

Threshold Filter

It is of course OK to not have the event appear during one of the two time periods, but we need to be notified if we receive two 10620 events from the previous filters  on any given day. As such, we will set the threshold filter to log an error when both recurring events logged an error within 13 hours.

 

The General tab of this filter would be configured to match the recurring event filters (note the Filter Text) so that it won't interfere with other recurring event filters, and the Threshold tab would alert us if we see more than one of these recurring events in 13 hours. The threshold filter will log an event with id 10601 to the event log when this happens.

 

clip0017

Figure 4: Match only recurring events used for this feature

 

clip0018

Figure 5: Log an error if we see more than one recurring event error

 

Exclude Filter

The exclude filter is necessary (or recommended) if you use the default filter setup which includes catch-all filters that forward errors to your email. Since recurring event filters always log events as errors, you would be notified as soon as the first (or second) recurring event filter doesn't find the event, which would not be very helpful since you would get this alert every day. As such, you will exclude events generated by the two recurring event filters, and instead receive alerts from the threshold filter.

 

Alert or Warning 1 24 n g

It is imperative that you place this exclude filter in a package other than the one you just created. If you fail to do this then the threshold filter will never match since it matches the same events the exclude filter excludes.

 

Simply place the exclude filter in a package that already excludes other events for your email notification. This is why we configured the package to ignore exclude filters from other packages earlier.