MonitorSolution User Guide

Altiris Monitor Solution for
Servers 7.5 fromSymantec

User Guide
Altiris Monitor Solution for Servers 7.5 from
Symantec User Guide
The software described in this book is furnished under a license agreement and may be used
only in accordance with the terms of the agreement.
Legal Notice
Copyright 2013 Symantec Corporation. All rights reserved.
Symantec, the Symantec Logo, and the Checkmark Logo, Altiris, and any Altiris or Symantec
trademarks used in the product are trademarks or registered trademarks of Symantec
Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks
of their respective owners.
This Symantec product may contain third party software for which Symantec is required to
provide attribution to the third party (Third Party Programs). Some of the Third Party Programs
are available under open source or free software licenses. The License Agreement
accompanying the Licensed Software does not alter any rights or obligations you may have
under those open source or free software licenses. For more information on the Third Party
Programs, please see the Third Party Notice document for this Symantec product that may
be available at http://www.symantec.com/about/profile/policies/eulas/, the Third Party Legal
Notice Appendix that may be included with this Documentation and/or Third Party Legal Notice
ReadMe File that may accompany this Symantec product.
The product described in this document is distributed under licenses restricting its use, copying,
distribution, and decompilation/reverse engineering. No part of this document may be
reproduced in any form by any means without prior written authorization of Symantec
Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED
CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED
WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR
NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH
DISCLAIMERSAREHELDTOBELEGALLYINVALID. SYMANTECCORPORATIONSHALL
NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION
WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE
INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE
WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software
as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19
"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in
Commercial Computer Software or Commercial Computer Software Documentation", as
applicable, and any successor regulations. Any use, modification, reproduction release,
performance, display or disclosure of the Licensed Software and Documentation by the U.S.
Government shall be solely in accordance with the terms of this Agreement.
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043
http://www.symantec.com
Technical Support
Symantec Technical Support maintains support centers globally. Technical Supports
primary role is to respond to specific queries about product features and functionality.
The Technical Support group also creates content for our online Knowledge Base.
The Technical Support group works collaboratively with the other functional areas
within Symantec to answer your questions in a timely fashion. For example, the
Technical Support group works with Product Engineering and Symantec Security
Response to provide alerting services and virus definition updates.
Symantecs support offerings include the following:
A range of support options that give you the flexibility to select the right amount
of service for any size organization
Telephone and/or Web-based support that provides rapid response and
up-to-the-minute information
Upgrade assurance that delivers software upgrades
Global support purchased on a regional business hours or 24 hours a day, 7
days a week basis
Premium service offerings that include Account Management Services
For information about Symantecs support offerings, you can visit our website at
the following URL:
www.symantec.com/business/support/
All support services will be delivered in accordance with your support agreement
and the then-current enterprise technical support policy.
Contacting Technical Support
Customers with a current support agreement may access Technical Support
information at the following URL:
Before contacting Technical Support, make sure you have satisfied the system
requirements that are listed in your product documentation. Also, you should be at
the computer on which the problem occurred, in case it is necessary to replicate
the problem.
When you contact Technical Support, please have the following information
available:
Product release level
Hardware information
Available memory, disk space, and NIC information
Operating system
Version and patch level
Network topology
Router, gateway, and IP address information
Problem description:
Error messages and log files
Troubleshooting that was performed before contacting Symantec
Recent software configuration changes and network changes
Licensing and registration
If your Symantec product requires registration or a license key, access our technical
support Web page at the following URL:
Customer service
Customer service information is available at the following URL:
Customer Service is available to assist with non-technical questions, such as the
following types of issues:
Questions regarding product licensing or serialization
Product registration updates, such as address or name changes
General product information (features, language availability, local dealers)
Latest information about product updates and upgrades
Information about upgrade assurance and support contracts
Information about the Symantec Buying Programs
Advice about Symantec's technical support options
Nontechnical presales questions
Issues that are related to CD-ROMs, DVDs, or manuals
Support agreement resources
If you want to contact Symantec regarding an existing support agreement, please
contact the support agreement administration team for your region as follows:
[email protected] Asia-Pacific and Japan
[email protected] Europe, Middle-East, and Africa
[email protected] North America and Latin America
Technical Support ............................................................................................... 4
Chapter 1 Introducing Monitor Solution ........................................... 10
About Monitor Solution .................................................................. 10
About core components of Monitor Solution ....................................... 11
About Monitor Pack for Servers ....................................................... 14
Where to get more information ........................................................ 16
Chapter 2 Configuring the Monitor Solution Server ....................... 19
About monitor server configuration ................................................... 19
Importing monitor packs ................................................................. 20
About database maintenance ......................................................... 21
Configuring data purging ................................................................ 22
About heartbeat ........................................................................... 23
Configuring the monitor server heartbeat settings ................................ 24
Chapter 3 Configuring the Monitor Plug-in ...................................... 26
About Monitor Plug-in .................................................................... 26
About Monitor policies ................................................................... 27
About Monitor Plug-in profiling ........................................................ 27
Preparing managed computers for agent-based monitoring ................... 28
Installing Monitor Plug-in ................................................................ 29
Upgrading Monitor Plug-in .............................................................. 30
Uninstalling Monitor Plug-in ............................................................ 31
Creating new Monitor Plug-in settings ............................................... 32
Configuring Monitor Plug-in settings ................................................. 33
Chapter 4 Configuring agentless monitoring ................................... 35
About agentless monitoring ............................................................ 35
About agentless monitoring and network discovery .............................. 36
About monitor service .................................................................... 36
Setting up a remote monitoring site server ......................................... 37
Installing the Pluggable Protocols Architecture (PPA) client
computer component on a site server ................................... 39
Contents
Removing monitor service from a site server ................................ 40
Adding monitor service to a site server ........................................ 41
Configuring remote monitoring server settings .............................. 42
Viewing monitor site server reports ............................................ 43
Chapter 5 Working with Monitor Policies ......................................... 44
Creating monitor policies with the monitor policy wizard ........................ 44
Creating monitor policies ................................................................ 46
Configuring monitor policies ............................................................ 47
Adding rules to a monitor policy ....................................................... 47
About application detection ............................................................. 48
Adding application detection to a monitor policy .................................. 48
Application detection types ............................................................. 50
Adding computers to a monitor policy ............................................... 51
Chapter 6 Working with Metrics ......................................................... 53
About metrics .............................................................................. 53
Creating, cloning or editing metrics .................................................. 55
Adding a metric to a rule ................................................................ 56
About multiple instance metrics ....................................................... 57
Chapter 7 Working with Rules ............................................................. 58
About rules ................................................................................. 58
Creating, cloning or editing rules ...................................................... 60
About metric evaluation ................................................................. 61
About metric and rule aggregation ................................................... 62
Using aggregation to monitor potential hard drive issue ........................ 64
Creating a sample rule with aggregation ...................................... 65
Chapter 8 Working with tasks and actions ....................................... 67
About Monitor Solution tasks and actions .......................................... 67
About severity states ..................................................................... 72
Adding tokens to a Send Email task ................................................. 73
Adding actions to rules .................................................................. 74
Adding actions to monitor policies .................................................... 75
Monitor client and server token types ................................................ 77
Chapter 9 Viewing Monitored Data .................................................... 80
About viewing the monitor data ....................................................... 80
Viewing historical performance data ................................................. 81
8 Contents
Viewing real-time performance data ................................................. 82
Chapter 10 Using alert management ................................................... 84
About alerts ................................................................................. 85
About alert management ................................................................ 85
About Event Console alert filters ...................................................... 86
Configuring alert filter settings ......................................................... 88
Adding new alert filters .................................................................. 88
Hiding resolved alerts .................................................................... 89
Configuring alert rule settings .......................................................... 89
Creating an alert matching rule ........................................................ 90
Adding or editing rules to discard alerts ............................................. 91
Forwarding alerts to another management system .............................. 91
Running a task in response to an alert .............................................. 92
About Event Console tokens ........................................................... 93
Configuring workflow rules ............................................................. 94
Configuring alert purging settings ..................................................... 96
Viewing alerts by network location ................................................... 97
Viewing the health of an organizational group ..................................... 97
Creating and editing Event Console tasks .......................................... 98
Index .................................................................................................................... 99
Appendix A Aggregation input-output matrix ................................... 102
Aggregation input-output matrix ..................................................... 102
Appendix B AltirisMonitor Solutionfor Servers 7.5Symantec
Third-Party Legal Notices .......................................... 107
Third-Party Legal Attributions ........................................................ 107
Expat XML Parser v2.0.1 .............................................................. 107
Net-SNMP v 5.4.1 ....................................................................... 108
RegExp .................................................................................... 114
RegExp License ................................................................... 114
9 Contents
Introducing Monitor
Solution
This chapter includes the following topics:
About Monitor Solution
About core components of Monitor Solution
About Monitor Pack for Servers
Where to get more information
About Monitor Solution
Monitor Solution lets you monitor various aspects of computer operating systems,
applications, and device, such as events, processes, and performance. It helps you
ensure that your servers and your devices function properly, and reduces the costs
of server and network monitoring.
Monitor Solution continuously collects and analyzes data that is captured from
computers and other devices on your network. When data is captured that meets
the specified criteria, alerts can be raised to notify you and actions can be taken.
Monitor Solution lets you do the following:
Collect detailed data fromservers, applications, and network devices to diagnose
the health of your environment..
Collect comprehensive real-time and historical performance data to analyze
trends and isolate recurring issues.
Pinpoint problems, define their cause, and take automated actions to resolve
them.
1
Chapter
Monitor Solution supports both agent-based and agentless monitoring methods. It
runs on the Symantec Management Platform and is a key component of Server
Management Suite.
See About core components of Monitor Solution on page 11.
Monitor Plug-in or the Remote Monitoring Server gather the data that you want to
monitor. The data is remotely managed from the Symantec Management Console.
The Monitor Plug-in and the Remote Monitoring Server receive policies from the
Notification Server computer. Monitor policies instruct the plug-in and Remote
Monitoring Server of what actions to perform.
Monitor Solution lets you monitor different aspects of servers and applications. This
is done through multiple monitoring solutions that work together using a common
set of Monitor Solution components that are called the core components. Each
monitoring solution uses the core components and includes a set of monitoring
components specific to the purpose of the solution.
Table 1-1 Core components of Monitor Solution
Description Component
Monitor Plug-in performs monitoring on client
computers. Monitor Plug-in receives policies
from the Notification Server computer
specifying what aspects of the computer are
to be monitored.
See About Monitor Plug-in on page 26.
Monitor Plug-in
A monitor service on a site server acts in
place of Monitor Plug-in. It lets you monitor
the computers that don't have Agent Plug-in
installed on them.
See About agentless monitoring
on page 35.
Agentless monitoring
11 Introducing Monitor Solution
Table 1-1 Core components of Monitor Solution (continued)
Performance viewers let you view the
performance of a computer in real time or
historically. Performance monitoring data
makes it easy to analyze performance and
identify problems.
See Viewing real-time performance data
on page 82.
See Viewing historical performance data
on page 81.
Real-time and historical performance viewers
You can view the predefined reports, or
create custom reports to meet your needs.
See About viewing the monitor data
on page 80.
Reports
Monitor packs include the monitor policies,
metrics, rules, and tasks for monitoring an
operating system or application. Monitor
packs also contain preconfigured monitor
policies with preset thresholds and severities.
See About Monitor Pack for Servers
on page 14.
Monitor packs
A monitor policy is group of monitoring rules.
You apply monitor policies to the groups of
computers and devices that you want to
monitor. Monitor policies inform the Monitor
Plug-in or the Remote Monitoring Server of
what data you want monitored and how that
data should be analyzed. The data is
evaluated against the conditions of rules.
Based on these rules, Monitor Plug-in can
run automated actions in response to data
that reaches an undesired state or range.
Monitor Plug-in returns the monitored data to
the Notification Server computer. The
Notification Server computer uses monitored
data to run Task Server tasks for real-time
performance monitoring and historical
performance reporting.
Monitor policies are built from metrics and
rules.
See Creating monitor policies with the
monitor policy wizard on page 44.
Monitor policies
Metrics define how Monitor Plug-in or the
Remote Monitoring Server collects data from
supported data sources, called metric
sources. Each plug-in can use numerous
metrics to define all of the data that you want
to collect.
See About metrics on page 53.
Metrics
Rules specify how to analyze the metric data
or the event data that Monitor Plug-in and the
Remote Monitoring Server collect. Rules also
define the conditions that trigger them, and
the actions taken.
See About rules on page 58.
Rules
You can add actions and tasks to a rule or a
policy. Rules are triggered when monitored
metric data reaches a determined value or
goes beyond an acceptable value range. The
triggered rule sends an alert, and any actions
or tasks that are specified for that rule or
policy are executed. You configure a schedule
for monitor actions and tasks, or run them on
demand.
You can run tasks from a task server or you
can choose from several Monitor
Plug-in-specific task types.
See About Monitor Solution tasks and
actions on page 67.
Actions and Tasks
See About Monitor Solution on page 10.
Monitor Pack for Servers provides a number of monitor packs that monitor the
health of your servers. Monitor packs contain monitor policies that monitor services
and events of the server health, operating system, and applications.
Monitor Pack for Servers contains both agent-based and agentless monitoring
policies. Agentless monitor policies let you monitor resources without the Monitor
Plug-in.
See Preparing managed computers for agent-based monitoring on page 28.
See About monitor server configuration on page 19.
You can enable or disable the policies that are included in the monitor packs, or
create new policies. Each monitor policy contains rules, metrics, and tasks that let
you monitor your resources. Rules and metrics let you define the metric evaluation
and metric data that you want to monitor. Tasks let you specify the automated
actions that occur when the metric data reaches certain evaluation.
See Creating monitor policies with the monitor policy wizard on page 44.
The Monitor Pack for Servers also includes numerous reports that help you analyze
the data and tune the performance of your servers.
See About viewing the monitor data on page 80.
Table 1-2 Default monitor packs included in the Monitor Pack for Servers
Description Monitor pack
This monitor pack lets you monitor the disk, memory, network,
processor, and other aspects of AIX servers.
AIX - Basic
This monitor pack lets you monitor the health and
performance of ESXservers including disk, memory, network,
and processor.
ESX - Basic
This monitor pack lets you monitor the ESX host servers for
virtualization metrics including host disk, virtual memory,
system and virtual processor.
ESX - Extended Host
This monitor pack lets you monitor the disk, memory, network,
processor, and other aspects of Linux servers.
Linux - Basic
performance of your Linux Servers. This pack is a single
policy that you can apply to all your Linux Servers to quickly
evaluate the operation system health and performance.
Linux Server Health
This monitor pack lets you monitor disk, memory, network,
processor, and other aspects of Solaris servers.
Solaris - Basic
performance on the Windows 2003 servers including disk,
memory, network, and processor.
Windows 2003
performance on the Windows 2008 servers including disk,
memory, network, and processor.
Windows 2008
This agentless monitor pack lets you monitor the availability
and performance on the Windows 2003/2008 servers
including disk, memory, network, and processor.
The agentless monitor policy lets you monitor computers
without installing Symantec Management Agent and Monitor
Plug-in. Because the Monitor plug-in is not available, fewer
aspects of the computers are available to be monitored.
Windows Agentless Policy
Table 1-2 Default monitor packs included in the Monitor Pack for Servers
(continued)
Description Monitor pack
performance of your Linux Servers. This pack is a single
policy that you can apply to all your Linux Servers to quickly
evaluate the operation system health and performance.
Windows Server Health
Use the following documentation resources to learn about and use this product.
Table 1-3 Documentation resources
Location Description Document
The Supported Products A-Z page, which is available at the following
URL:
http://www.symantec.com/business/support/index?page=products
Open your product's support page, and then under Common Topics,
click Release Notes.
Information about new
features and important
issues.
Release Notes
The Documentation Library, which is available in the Symantec
Management Console on the Help menu.
The Supported Products A-Z page, which is available at the
following URL:
http://www.symantec.com/business/support/index?page=products
Open your product's support page, and then under Common Topics,
click Documentation.
Information about how to
use this product,
including detailed
technical information and
instructions for
performing common
tasks.
User Guide
Table 1-3 Documentation resources (continued)
Location Description Document
The Documentation Library, which is available in the Symantec
Context-sensitive help is available for most screens in the Symantec
Management Console.
You can open context-sensitive help in the following ways:
Click the page and then press the F1 key.
Use the Context command, which is available in the Symantec
Information about how to
use this product,
including detailed
technical information and
instructions for
performing common
tasks.
Help is available at the
solution level and at the
suite level.
This information is
available in HTML help
format.
Help
In addition to the product documentation, you can use the following resources to
learn about Symantec products.
Table 1-4 Symantec product information resources
Location Description Resource
http://www.symantec.com/business/theme.jsp?themeid=support-knowledgebase Articles, incidents, and
issues about Symantec
products.
SymWISE
Support
Knowledgebase
Table 1-4 Symantec product information resources (continued)
Location Description Resource
http://www.symantec.com/connect/endpoint-management/forums/
endpoint-management-documentation
Here is the list of links to various groups on Connect:
Deployment and Imaging
http://www.symantec.com/connect/groups/deployment-and-imaging
Discovery and Inventory
http://www.symantec.com/connect/groups/discovery-and-inventory
ITMS Administrator
http://www.symantec.com/connect/groups/itms-administrator
Mac Management
http://www.symantec.com/connect/groups/mac-management
Monitor Solution and Server Health
http://www.symantec.com/connect/groups/monitor-solution-and-server-health
Patch Management
http://www.symantec.com/connect/groups/patch-management
Reporting
http://www.symantec.com/connect/groups/reporting
ServiceDesk and Workflow
http://www.symantec.com/connect/workflow-servicedesk
Software Management
http://www.symantec.com/connect/groups/software-management
Server Management
http://www.symantec.com/connect/groups/server-management
Workspace Virtualization and Streaming
http://www.symantec.com/connect/groups/
workspace-virtualization-and-streaming
An online resource that
contains forums, articles,
blogs, downloads,
events, videos, groups,
and ideas for users of
Symantec products.
Symantec
Connect
Configuring the Monitor
Solution Server
About monitor server configuration
Importing monitor packs
About database maintenance
Configuring data purging
About heartbeat
Configuring the monitor server heartbeat settings
About monitor server configuration
You can configure the monitor server settings to meet your specific needs.
Table 2-1 Process for configuring the monitor server
Description Action Step
Monitor packs include monitor policies, metrics,
rules, and tasks for monitoring an operating system
or application. Monitor packs also contain
preconfigured monitor policies with preset
thresholds and severities. You can import a monitor
pack to monitor computers and devices.
See Importing monitor packs on page 20.
Import a monitor pack. Step 1
2
Chapter
Table 2-1 Process for configuring the monitor server (continued)
Monitor Solution collects data from monitor
computers and stores it in the database. You can
configure the database maintenance settings to
define when data is summarized and purged.
See Configuring data purging on page 22.
Set up database
maintenance.
Step 2
Monitor Solution collects heartbeat signals from
Monitor Plug-ins. You can configure the server-side
heartbeat settings to define how often Monitor
Solution checks for heartbeats. Specify the number
of failures that are allowed to occur before Monitor
Solution sends an alert to the Event Console.
See Configuring the monitor server heartbeat
settings on page 24.
Configure heartbeat
monitoring settings.
Step 3
You use monitor packs to monitor different aspects of your computer resources
and network to ensure their availability. Monitor packs include monitor policies,
metrics, rules, and tasks for monitoring an operating system or application. Monitor
packs also contain preconfigured monitor policies with preset thresholds and
severities.
You can import monitor packs after the installation of Monitor Solution. Importing
monitor packs lets you choose what functionality you want to install on your
monitoring server, and when you want to install it.
For more information page, see the topic about performing the First Time Setup
configuration in the IT Management Suite Administration Guide.
To import monitor packs
1 In the Symantec Management Console, on the Home menu, click Monitoring
and Alerting.
2 In the left pane, under Monitoring and Alerting, expand Monitor > Policies,
and then click Import Monitor Pack.
3 On the Import Monitor Pack page, click the monitor pack that you want to
import.
20 Configuring the Monitor Solution Server
4 On the toolbar, click Schedule.
5 In the Schedule Monitor Pack dialog box, configure the schedule settings,
and then click OK.
Monitor Solution lets you control how the data that you gather by monitoring is
handled. You can create a custom configuration to summarize and purge the data.
The data that you choose to store can be as granular or as broad as you require.
For example, you can specify to store highly detailed and granular data (typically
in 5-minute intervals) for the current day, week, or month. You can specify to keep
less detailed summarized data for the previous days, weeks, or months. The data
is purged from the database entirely when it reaches the final age. This helps you
store the data that you require, and also control the database growth. However,
because the data is summarized according to a schedule, it also becomes less
detailed, and therefore less reliable. You need to consider this when you configure
the summarization and purging schedule.
Symantec recommends that you schedule the database purging to occur during
non-peak times of the day. Large amounts of data can cause the summarization
and purging process to take too much time.
Numeric data passes run as follows, according to the time periods that you define:
When data is first collected, it is stored as fully detailed data for as long as you
require.
After the specified time period lapses, detailed data is rolled up into hourly
summaries.
After the specified time period lapses, hourly summaries are rolled up into daily
summaries.
After the specified time period lapses, daily summaries are purged from the
database. Database summarization and purging occurs daily at a time you
specify.
Non-numeric data (such as string metric, process, and NT event data) is not
summarized. Instead, it is stored in full detail for as long as you define, and then
purged when the specified time period lapses.
The metric polling intervals of a metric can affect the amount of data that is collected.
Monitor Plug-in settings and Remote Monitoring Server settings can also affect the
amount of data that is stored. For example, you can choose to log NT Event data
only when an alert raises. Changing this setting decreases the overall amount of
NT Event data that is collected and therefore also decreases the amount of data
that is stored.
See Configuring data purging on page 22.
You can set the time when data summarization and purging occurs.
See About database maintenance on page 21.
To configure data purging
and Alerting.
2 In the left pane, under Monitoring and Alerting, expand Monitor > Settings,
and then click Monitor Server Settings.
3 On the Monitor Server Settings page, click the Purge Maintenance tab.
4 On the Purge Maintenance tab, configure the following settings:
How long you want to store detailed
numeric performance data before it is
purged and summarized into hourly values.
Detailed data
How long you want to store hourly
summarizations of numeric performance
data before it is purged and summarized
into daily values. The value that is used is
the Detailed data value plus the value.
Hourly summaries
How long you want to store daily
summarizations of numeric performance
data before it is purged fromthe database.
The value that is used is the Detailed data
value plus the Hourly summaries value
plus the Daily summaries value.
Daily summaries
How long you want to store string data
before it is purged from the database.
String metric data
How long you want to store process data
before it is purged from the database.
Process data
How long you want to store NT event data
before it is purged it from the database.
NT event data
How much time should be allowed to pass
before a purging timeout is declared.
Command timeout
What time of the day the database purging
should occur.
Perform daily purge at
5 Click Save changes.
About heartbeat
Monitor Plug-in can send scheduled messages to the Notification Server computer.
These messages are called heartbeats. Heartbeats are used to determine if Monitor
Plug-in is available and in communication with the Notification Server computer. In
addition to monitoring the health of Monitor Plug-in, heartbeats also give insight
into the host systems uptime and availability. Monitor Solution equates uptime to
the time that Monitor Plug-in is up. A computer is more likely to be up and available
if Monitor Plug-in on that computer is running and communicating. Likewise, if
expected heartbeats are not received from Monitor Plug-in, it could indicate a
About heartbeat
possible problem. The problem can be with either the computer that hosts the
non-responsive plug-in or with the network connection that is used.
You can use heartbeat data to display reports on the availability of Monitor Plug-in.
If a heartbeat is not received, an alert is generated in the Event Console. You can
create rules to automatically execute server-side tasks in response to a failed
heartbeat alert. For example, you can configure a rule to send an email to you when
a heartbeat fails. You can even configure a rule to execute a run script task that
you preconfigure to diagnose the source of the heartbeat failure.
You can configure the heartbeat settings for the monitor server. These settings
control how often the monitor server checks for received heartbeats.
See About heartbeat on page 23.
Monitor Plug-in can send scheduled messages to the Notification Server computer.
These messages are called heartbeats. Heartbeats are used to determine if Monitor
Plug-in is available and communicates with the Notification Server computer. In
addition to monitoring the health of Monitor Plug-in, heartbeats also check the host
systems uptime and availability. Monitor Solution equates uptime to the time when
the Monitor Plug-in on the client computer is up. A computer is more likely to be up
and available if Monitor Plug-in on that computer is running and communicating.
Likewise, if expected heartbeats are not received from Monitor Plug-in, it could
indicate a possible problem. The problemcan be with either the computer that hosts
the non-responsive plug-in or with the network connection.
You can use heartbeat data to display reports on the availability of Monitor Plug-in.
If a heartbeat is not received, an alert is generated in the Event Console. You can
create rules to automatically execute server-side tasks in response to a failed
heartbeat alert. For example, you can configure a rule to send an email to you when
a heartbeat fails. You can also configure the rule to run a script to diagnose the
source of the heartbeat failure.
You can configure settings for how often Monitor Plug-in sends heartbeats and
whether or not it records system uptime.
To configure the monitor server heartbeat settings
1 In the Symantec Management Console , on the Home menu, click Monitoring
and Alerting.
and then click Monitor Server Settings.
3 On the Monitor Server Settings page, click the Heartbeat tab.
4 On the Heartbeat tab, configure the settings according to your needs, and
then click Save Changes.
Configuring the Monitor
Plug-in
About Monitor Plug-in
About Monitor policies
About Monitor Plug-in profiling
Preparing managed computers for agent-based monitoring
Installing Monitor Plug-in
Upgrading Monitor Plug-in
Uninstalling Monitor Plug-in
Creating new Monitor Plug-in settings
Configuring Monitor Plug-in settings
About Monitor Plug-in
You install Monitor Plug-in on client computers to monitor them. Monitor Plug-in
communicates with the Notification Server computer through the Symantec
Management Agent.
Monitor Plug-in collects the following types of data:
3
Chapter
This data is collected and sent to the Notification Server computer
according to a schedule. It is used in reports and contains
information about application detection and plug-in configuration
on the monitored computer.
Inventory
This data is sent to the Notification Server computer on a different
schedule than inventory data. Performance data is used in
historical performance graphs by the Historical Performance
Viewer and in reports. Some of this data can also be sent directly
to Real-time Performance Viewer for real-time graphs.
See Viewing real-time performance data on page 82.
Performance
Monitor Plug-in generates alerts whenever a rule evaluation
discovers a change of state. Each rule can have a Normal,
Informational, Undetermined, Warning, Major, or Critical state.
The individual rule states are aggregated into an overall state for
the computer. Aresource can have an aggregated state of Normal,
Warning, Major, or Critical.
Alerts
Monitor policies inform Monitor Plug-in of what data you want to monitor and how
to analyze that data. The data is evaluated against the conditions of the rules.
According to these rules, Monitor Plug-in can run automated actions in response
to the data that reaches an undesired state or range. Monitor Plug-in returns the
monitored data to the Notification Server computer. The Notification Server computer
uses monitored data to run Task Server tasks, for real-time performance monitoring,
and historical performance reporting.
Monitor policies specify application detection behavior for Monitor Plug-in. Application
detection enables Monitor Plug-in to regularly check the monitored computer for
the presence of applications that it has been configured to monitor. If an application
that can be monitored is detected on the computer, the plug-in automatically begins
monitoring the application.
About Monitor Plug-in profiling
(Windows only)
Plug-in profiling triggers a rule based on statistical criteria. Monitor Solution compares
the current metric value with the average of previous values for the same metric
and determines if the current value is within a specified number of standard
27 Configuring the Monitor Plug-in
deviations from the average value for the metric. If the value is outside the range,
the rule is triggered.
As metric values change over time, the triggering range is automatically adjusted.
This helps prevent rules frombeing triggered when they should not be and reduces
the need to manually adjust rules.
Plug-in profiling is applicable only for metric-type rules.
Preparing managed computers for agent-based
monitoring
Some monitor tasks can only be performed on managed computers that have
Symantec Management Agent installed on them. Remote Monitoring Server provides
limited monitoring functionality without Monitor Plug-in. Detailed monitoring requires
the installation of both Symantec Management Agent and Monitor Plug-in.
For more information, see the topics about the Symantec Management Agent in
the IT Management Suite Administration Guide.
To prepare managed computers for monitoring, you must complete the following
steps:
Table 3-1 Process for preparing managed computers for agent-based
monitoring
Resource objects are created for the discovered
computers in the Configuration Management
Database (CMDB).
You may have discovered computers when you
installed Notification Server or when you added
new computers to the network.
For more information, see the IT Management
Suite Administration Guide.
Discover the computers
that you want to
manage.
Step 1
Preparing managed computers for agent-based monitoring
Table 3-1 Process for preparing managed computers for agent-based
monitoring (continued)
You may have performed this step when you
installed Notification Server or when you added
new computers to the network.
For more information, see the IT Management
Symantec Management Agent has two versions:
one for Windows and one for UNIX, Linux, and
Mac.
Roll out Symantec
Management Agent.
Step 2
To monitor computers using agent-based
monitoring, you must install Monitor Plug-in on
target computers.
See Installing Monitor Plug-in on page 29.
Install Monitor Plug-in. Step 3
To install Monitor Plug-in, you configure a policy that installs it on target computers.
You specify a computer or a group of computers on which to install the plug-in, and
schedule the policy run. The task is ignored on the computers that already have
Monitor Plug-in installed. When the policy is on, it automatically installs Monitor
Plug-in on any computers that are added to the network, and are members of the
specified group.
See Upgrading Monitor Plug-in on page 30.
See Uninstalling Monitor Plug-in on page 31.
Before you install Monitor Plug-in, you must install Symantec Management Agent
on target computers.
Note that Monitor Solution has separate plug-in rollout policies for 32-bit computers
and 64-bit computers.
For more information, see the topic about performing the First Time Setup
To install Monitor Plug-in
and Alerting.
2 In the left pane, under Monitoring and Alerting, expand Monitor >
Agents/Plug-ins, expand the folder for the operating systemor the application
that you want to run the Plug-in on, and then expand the Rollout folder, and
click the policy name.
For example, expand Windows > Rollout, and then click Monitor Plug-in for
Windows x86 - Install.
3 On the policy page, turn on the policy.
At the upper right of the page, click the colored circle, and then click On.
4 On the policy page, under Applied to, on the toolbar, click Apply to, and
choose the computers to install the plug-in on.
In most cases, you can use the default group to install the plug-in on all
computers that do not have it installed.
5 On the policy page, under Schedule, on the toolbar, click Schedule, and then
configure the schedule of the policy.
6 On the policy page, click Save changes.
To upgrade Monitor Plug-in, you configure a policy that installs and upgrades it on
target computers. You specify a computer or a group of computers on which to
install the plug-in, and schedule the policy run. The task is ignored on the computers
that already have the updated version of Monitor Plug-in installed.
See Uninstalling Monitor Plug-in on page 31.
Note: This upgrade policy does not upgrade version 6.x of Monitor Plug-in for UNIX
and Linux client computers. For these computers, use the install policy to deploy
Monitor Plug-in. You can use this upgrade policy to upgrade version 7.0 or 7.1 of
Monitor Plug-in for UNIX and Linux client computers to version 7.5.
To upgrade Monitor Plug-in
and Alerting.
that you want to run the Plug-in on, and then expand the Rollout folder, and
click the upgrade policy name.
Windows x86 - Upgrade.
choose the computers to upgrade the plug-in on.
To uninstall Monitor Plug-in, you configure a policy that uninstalls it on target
computers. You specify a computer or a group of computers on which to uninstall
the plug-in, and schedule the policy run.. The task is ignored on the computers that
do not have Monitor Plug-in installed.
See Upgrading Monitor Plug-in on page 30.
To uninstall Monitor Plug-in
and Alerting.
that you want to run the plug-in on, and then expand the Rollout folder, and
click the uninstall policy name.
Windows x86 - Uninstall.
choose the computers to upgrade the plug-in on.
Warning: By default, the uninstall policy is targeted to Windows Servers with
Monitor Plug-in x86 installed. If you do not configure the Apply to option
and turn on the policy, it uninstalls Monitor Plug-in on all computers.
You can create new Monitor Plug-in settings within a Monitor Plug-in configuration
policy. When a configuration policy is turned on, the settings apply to all client
computers that are contained in the groups that the policy targets.
Note: If more than one configuration policy targets Monitor Plug-in, the plug-ins
settings match the most recent configuration policy.
To create new Monitor Plug-in settings
and Alerting.
that you want to run the Plug-in on, right-click the Configuration folder, and
then click New > New Plug-in Settings.
3 In the left pane, under Configuration, right-click New Plug-in Settings, click
Rename.
4 In the Rename Itemdialog box, type the newname for the plug-in configuration
item, and then click OK.
5 In the right pane, turn on the policy.
6 In the right pane, configure the settings according to your needs, and then click
Save changes.
Configuration policies let you customize Monitor Plug-in settings for various
purposes. When a configuration policy is turned on, the settings apply to all the
computers in the groups that the policy targets.
Monitor Plug-in can locally log performance data, process data, and NT event data.
You can configure if and how often these logs are saved locally and if and how
often the data is uploaded to the Configuration Management Database (CMDB).
You can also specify how often local data is purged.
You can configure Monitor Plug-in settings to meet the needs of your environment
and define how Monitor Plug-in performs during maintenance windows.
See Creating new Monitor Plug-in settings on page 32.
Note: If more than one configuration policy targets Monitor Plug-in, its settings match
the most recent configuration policy.
Configuration policies let you configure the following Monitor Plug-in settings:
Application detection.
Metric preferences.
Data collection settings.
Monitor Plug-in Heartbeat settings.
SNMP settings.
SQL settings.
Real-time Performance Viewer parameters.
Maintenance window settings.
To configure Monitor Plug-in settings
and Alerting.
that you want to run the Plug-in on, expand the Configuration folder, and then
click the plug-in configuration item.
3 In the right pane, under Plug-in Config Settings, configure the settings
according to your needs.
4 In the right pane, under Applied to, on the toolbar, click Apply to, and choose
the computers to upgrade the plug-in on.
5 In the right pane, turn on the policy.
6 In the right pane, configure the settings according to your needs, and then click
Save changes.
Configuring agentless
monitoring
About agentless monitoring
About agentless monitoring and network discovery
About monitor service
Setting up a remote monitoring site server
About agentless monitoring
Agentless monitoring lets you monitor the computers that do not have Monitor
Plug-in installed. You monitor these computers with agentless monitoring policies.
Because Monitor Plug-in is not available on the computer, fewer aspects of the
computer are available to be monitored. You use monitor service on a site server
to perform agentless monitoring.
All agentless monitoring policies have a list of resource targets that are monitored.
Each monitor service monitors the resources assigned to its server if an agentless
monitoring policy targets those resources. Multiple site servers can monitor the
same resource that is targeted by an agentless monitor policy. Also, different site
servers can monitor different resources that are targeted by the same agentless
monitor policy.
You can use agentless monitoring in the following situations:
You cannot install Symantec Management Agent on the device that you want
to monitor.
4
Chapter
For example, VMware recommends that you do not run third-party software in
the VMware ESX Server service console. Another example would be a device
that has an embedded system.
You want to monitor the availability of a server.
In most cases, you need to use agentless monitoring to perform an availability
(ping) monitor.
A dependency exists between agentless monitoring and network discovery. The
connection profiles within the network discovery bind those computers that are
specified within the selected IP range. This association is required for the resources
that use both agentless monitoring and any of the following metric sources:
HTTP
SNMP
WMI
WS-MAN
However, if you want to monitor the availability status of a resource that uses ICMP,
you do not need to run the network discovery task.
See About agentless monitoring on page 35.
For more information about connection profiles, see the IT Management Suite
Administration Guide.
For more information about discovering network devices, see the IT Management
About monitor service
Monitor service on a site server lets you perform agentless monitoring. Monitor
service is installed on the Notification Server computer by default.
Because monitoring can be resource-intensive, you can distribute the monitoring
load to other site servers to reduce the load on Notification Server. You can also
remove monitor service from the Notification Server computer to further reduce the
load on this server.
See Setting up a remote monitoring site server on page 37.
36 Configuring agentless monitoring
Monitor service is integrated with the site server infrastructure. This integration lets
the user specify the resources that each site server monitors.
You use monitor service on a site server to performagentless monitoring. By default,
monitor service is installed on the Notification Server computer. You can distribute
the monitoring load to other site servers to reduce the load on Notification Server.
You can also remove monitor service from the Notification Server computer to
further reduce the load on this server.
You can set up as many monitoring site servers as you need.
Monitor service is integrated with the site server infrastructure. This integration lets
you specify the resources that each site server monitors.
To install monitor service on a remote site server, the server must be running one
of the following operating systems:
Microsoft Windows Server 2003 SP2 x86
Microsoft Windows Server 2008 R2 x64
The Potential Monitor Servers filter automatically determines possible site servers.
This filter is available on the Manage menu, under Filters. Agentless monitor policies
do not require any special configuration to work with a monitor service on one or
more site servers.
Warning: Symantec recommends that you only install monitor service on a computer
that is secure and trusted. The security settings of the Notification Server computer
must also apply to the site server computer.
Monitor service requires that you install the following on the site server:
Symantec Management Agent.
The Pluggable Protocols Architecture (PPA) client computer component.
The credential manager client computer component.
Table 4-1 Process for setting up a remote monitoring site server
A remote monitoring server requires
Symantec Management Agent to be
installed on the site server.
For more information, see topics about
the Symantec Management Agent in the
IT Management Suite Administration
Guide.
Install Symantec Management
Agent on the site server.
Step 1
Connection profiles must be configured
on Notification Server computer for
remote monitoring to work. Configure
your connection profiles before you
install the Pluggable Protocols
Architecture (PPA) client computer
component on the site server.
For more information, see topics about
connection profiles in the IT
Management Suite Administration
Guide.
Configure connection profiles on
Notification Server.
Step 2
A remote monitoring server depends on
the Pluggable Protocols Architecture
(PPA) client computer component to
communicate with network devices and
computers. When the Pluggable
Protocols Architecture (PPA) client
computer component is installed, the
credential manager client computer
component is also installed.
See Installing the Pluggable Protocols
component on a site server on page 39.
Install the Pluggable Protocols
component on the site server.
Step 3
You can add monitor service to a site
server on the site management page.
See Adding monitor service to a site
server on page 41.
Add monitor service to one or more
site servers.
Step 4
Table 4-1 Process for setting up a remote monitoring site server (continued)
You can remove monitor service from
Notification Server to reduce the load
on this server.
See Removing monitor service from a
site server on page 40.
(Optional) Remove monitor service
from Notification Server.
Step 5
You can configure the remote monitoring
server settings. These settings apply to
all monitor site servers.
See Configuring remote monitoring
server settings on page 42.
Configure the remote monitoring
server settings.
Step 6
The monitor site server reports let you
determine which site servers monitor the
resources that your agentless monitor
policies target.
See Viewing monitor site server reports
on page 43.
(Optional) View the monitor site
server reports.
Step 7
Installing the Pluggable Protocols Architecture (PPA) client computer
component on a site server
Pluggable Protocols Architecture (PPA) includes a policy that can remotely install
the Pluggable Protocols Architecture (PPA) client computer component on a site
server. You must install this component on a site server before you can add monitor
service to the site server. When the Pluggable Protocols Architecture (PPA) client
computer component is installed, the credential manager client computer component
is also installed. The policy that installs the credential manager client computer
component configures the agent to automatically import credentials fromNotification
Server.
To install the Pluggable Protocols Architecture (PPA) client computer component
on a site server
1 In the Symantec Management Console, on the Settings menu, click All
Settings.
2 In the left pane, under Settings, expand Monitoring and Alerting > Protocol
Management, and then click Install x86 Pluggable Protocols Agent Package
or Install x64 Pluggable Protocols Agent Package .
3 In the right pane, do the following:
Under Applied to, on the toolbar, click Apply to, and then configure the
policy application.
For more information, see topics about specifying the targets of a policy in
the IT Management Suite Administration Guide.
Under Schedule, on the toolbar, click Add schedule, and then configure
the policy run settings.
For more information, see topics about specifying a policy schedule in the
IT Management Suite Administration Guide.
Turn on the policy.
After Pluggable Protocols Architecture (PPA) and credential manager are
installed, wait until Symantec Management Agent sends inventory information
before adding a monitor service. You can confirmthat the inventory information
was sent on the site server, on the Symantec Management Agent Settings
tab of the Symantec Management Agent user interface.
Removing monitor service from a site server
You use monitor service on a site server to perform agentless monitoring. Monitor
service is installed on the Notification Server computer by default. To reduce the
load on Notification Server, you can remove monitor service from this server. You
can also remove monitor service from any other site server.
To remove monitor service from a site server
1 In the Symantec Management Console, on the Settings menu, click
Notification Server > Site Server Settings.
2 In the right pane, under Detailed Information, on the toolbar, in the View
drop-down list, click Site Servers.
3 Under Detailed Information, in the server list, click the site server, and then,
on the toolbar, click the Edit symbol.
4 In the Add/Remove Services dialog box, uncheck Monitor Service, and then
click Next.
5 In the Add/Remove Services dialog box, click OK.
Adding monitor service to a site server
You use monitor service on a site server to perform agentless monitoring. Monitor
service is installed on the Notification Server computer by default. You can also
add monitor service to one or more site servers.
Before you can add monitor service to a site server, you need to install the following
components on that server:
Symantec Management Agent.
Pluggable Protocols Architecture (PPA) client computer component.
Credential manager client computer component.
Credential manager client computer component is installed when you install
Pluggable Protocols Architecture (PPA) client computer component. After
Pluggable Protocols Architecture (PPA) and credential manager are installed,
wait until the Symantec Management Agent sends inventory information before
adding a monitor service.
When you add monitor service to a site server, it is installed according to the
schedule of the installation policy. Monitor service has installation policies for 64-bit
and 32-bit computers. To access these installation policies, in the Symantec
Management Console, on the Settings menu, click Notification Server > Site
Server Settings, and then, in the right pane, expand the Monitor Service section.
To add monitor service to a site server
1 In the Symantec Management Console, on the Settings menu, click
Notification Server > Site Server Settings.
2 In the right pane, under Detailed Information, on the toolbar, in the View
drop-down list, click Site Servers.
3 Under Detailed Information, in the server list, click the site server, and then,
on the toolbar, click the Edit symbol.
4 In the Add/Remove Services dialog box, check Monitor Service, and then
click Next.
You cannot check Monitor Service, if Pluggable Protocols Architecture (PPA)
and credential manager are not installed on the site server.
5 In the Add/Remove Services dialog box, click OK.
6 To check the status of the installation, on the Site Management page, expand
Site Services > Monitor Service.
A pie chart displays the site servers that are installed, pending installation, or
not installed.
Configuring remote monitoring server settings
You can configure the settings for the remote monitoring servers. You use a remote
monitoring server and a monitor service to perform agentless monitoring.
The remote monitoring server settings are the global settings that apply to all monitor
site servers.
See Adding monitor service to a site server on page 41.
To configure remote monitoring server settings
and Alerting.
and then click Remote Monitoring Server Settings.
3 In the right pane, under Plug-in Config Settings, click the tabs to configure
the following settings:
General
Performance Tuning
Data Collection
4 Turn on the policy.
5 In the right pane, click Save changes.
Viewing monitor site server reports
Monitor service on a site server lets you run agentless monitoring policies to monitor
the resources that do not have Symantec Management Agent installed. The monitor
site server reports let you determine which site servers monitor the resources that
your agentless monitor policies target.
The monitor site sever reports are as follows:
This report lists the resources that the
specified site server monitors.
Monitored resources by RMS
This report lists the resources that no site
server monitors.
Resources not monitored by RMS
This report lists the site servers that monitor
the specified resource.
RMS by Monitored resources
To view monitor site server reports
1 In the Symantec Management Console, on the Reports menu, click All
Reports.
2 In the left pane, under Reports, expand Monitoring and Alerting > Monitor
> Configuration > Monitor site server.
Working with Monitor
Policies
Creating monitor policies with the monitor policy wizard
Creating monitor policies
Configuring monitor policies
Adding rules to a monitor policy
About application detection
Adding application detection to a monitor policy
Application detection types
Adding computers to a monitor policy
Creating monitor policies with the monitor policy
wizard
To monitor client computers, you create monitor policies. Monitor Solution includes
a wizard that simplifies the process of creating monitoring policies. You can also
create a monitor policy without the wizard.
See Working with Monitor Policies on page 44.
Monitor policies use metrics, rules, and tasks to define the following information:
The computer resources that you want to monitor.
The metric data that you want to monitor.
5
Chapter
The fluctuations in the metric data that imply the status of the resource.
The actions that you want to occur when metric data reaches certain values.
For more information, see the topic about performing the First Time Setup
To create monitor policies with the monitor policy wizard
1 In the Symantec Management Console, on the Actions menu, click Monitor
> New Policy.
2 In the Create a monitor policy wizard, on the Choose what to monitor page,
choose the data to monitor, and then click Next.
You must enter a name for the monitoring policy. A descriptive name can help
you to identify the policy in future.
You must specify if the policy should be either an agent-based policy or an
agentless policy.
Agent-based monitor policies are intended to run on computers that have
Monitor Plug-in installed on them. If a computer has Monitor Plug-in installed
on it, more aspects of the computer can be monitored.
Agentless monitor policies let you monitor computers without Monitor Plug-in.
Because Monitor Plug-in is not available, fewer aspects of the computer can
be monitored.
3 In the wizard, on the Select monitoring categories page, check one or more
categories, and then click Next.
Rules are grouped into categories so that it is easier to organize and locate
them.
4 In the wizard, on the Add/Remove monitor rule page, manage monitor rules,
and then click Next.
All of the rules of previously selected categories are displayed on this page.
Click Add or Remove to configure which rules you want to include in the
monitoring policy.
See Adding rules to a monitor policy on page 47.
5 In the wizard, on the Set rule actions page, set rule actions, and then click
Next.
Monitor policies have six possibel severity states. You can specify the tasks
that you want to occur for each severity state. Task server tasks are run from
the task server. Monitor Plug-in tasks are run locally on the monitored computer.
Tasks are run in the order they are displayed in the window.
See Adding actions to monitor policies on page 75.
45 Working with Monitor Policies
Creating monitor policies with the monitor policy wizard
6 In the wizard, on the Select group of computers to monitor page, choose
the computers to monitor, and then click Finish.
7 In the right pane, under Applies to, on the toolbar, click Apply to, choose the
computers that you want the monitor policy to run on, and then click Finish.
To monitor client computers, you create monitor policies.
Monitor policies use metrics, rules, and tasks to define the following information:
The computer resources that you want to monitor.
The metric data that you want to monitor.
The fluctuations in the metric data that imply the status of the resource.
The actions that you want to occur when metric data reaches certain values.
You can also create monitor policies with the monitor policy wizard.
To create monitor policies
and Alerting.
2 In the left pane, under Monitoring and Alerting, expand Monitor > Policies
> Monitor Policies, right-click the folder where you want to create the policy,
click New > Monitor Policy (Agentless), or New > Monitor Policy
(Agent-based), and then click the name of the newly created policy.
3 In the right pane, on the Rules, Detection and Actions tabs, configure the
settings according to your needs.
See Adding application detection to a monitor policy on page 48.
5 In the right pane, under Applies To, on the toolbar, click Apply to, choose the
computers that you want the policy to apply to, and then click Save changes.
You can configure monitor policies according to your needs.
To configure monitor policies
and Alerting.
> Monitor Policies, and then click a policy that you want to configure.
3 In the right pane, on the Rules, Detection and Actions tabs, configure the
settings according to your needs.
See Working with Monitor Policies on page 44.
5 In the right pane, under Applies To, on the toolbar, click Apply to, choose the
computers that you want the monitor policy to monitor, and then click Save
changes.
Adding rules to a monitor policy
Rules are used within monitor policies to specify what metrics to monitor and how
fluctuations in a metrics data value should be interpreted. You can add rules to a
monitor policy.
See Working with Rules on page 58.
To add rules to a monitor policy
and Alerting.
> Monitor Policies, and then navigate to a policy that you want to edit.
3 On the policy page, on the Rules tab, on the toolbar, click the Add symbol.
4 In the Select Rule dialog box, click a rule, and then click OK.
When a monitor policy runs the application detection, it searches the computers to
determine if specific applications are installed. If the applications are found, Monitor
Solution starts monitoring.
On the monitor policy page, you can specify which computers the policy applies to.
This lets you save computer resources by targeting specific computers to run a
particular policy on.
When you configure application detection methods for a monitor policy, the
computers that the monitor policy applies to are filtered at a more granular level.
For example, you can configure a policy to monitor data when application X is
installed. On the policy page, you can specify that the policy applies to computers
A through F. If application detection determines that application X is not on computer
C, then the monitor policy does not run on computer C. Application detection saves
systemresources by eliminating the polling of metrics sources that are not available
on the system.
When application detection is configured properly it helps you meet your monitoring
goals in the following ways:
Monitor the specific information and resources according to your needs.
Use the system resources more efficiently.
When you install monitor packs, application detection is already configured for them.
You can create additional application detection methods to add to an existing monitor
policy. You can add additional application detection methods when you create
customized categories or monitor policies. If you have any additional customization
needs, you can add new application detection methods to your monitor policies.
You can choose from several application detection types. Different types let you
monitor the specific applications according to your needs.
See Application detection types on page 50.
Application detection functionality searches the client computers to determine if
specific applications are installed. Monitor Solution can then monitor those
applications.
See About application detection on page 48.
To add detection to a monitor policy
1 Create or edit an agent-based monitor policy.
See Configuring monitor policies on page 47.
2 On policy page, on the Detection tab, on the toolbar, click the New symbol to
add a detection item, and then do the following:
If this application detection method is the first method for the policy, provide
the required information in the dialog box, and then click OK.
If this application detection is an additional method, specify an operator for
the detection method, provide the required information in the dialog box,
and then click OK.
Operators determine the detection logic for the specified detection items.
The detection logic tells Monitor Solution how to proceed through the
detection methods to check for the application. The operators let you create
more complex and accurate application detection methods. With only one
detection method specified, your search may be more generic, but the
operators allow for a more focused search.
The detection methods that you specify are evaluated linearly, i.e. the
functions that you specify evaluate one after the other. For example, if you
set up methods stating the following:
IF a certain DLL is present
AND a certain file is present
OR a specific process is running
The detection logic evaluation first checks to see if the DLL and the files
are present. If they are present detection passes. If they are not present,
then the logic moves on to check if the process is running. If the process
is running, detection passes. If the process is not running, detection fails.
The set does not check first to see if the DLL is present, and then check to
see if the file is present or the process is running. The "and" only applies
to the first step in the detection method.
If multiple detection types are used, the If operator is only available for the
first detection type.
Continue adding application detection methods until the application detection
configuration is complete.
See Application detection types on page 50.
Application detection searches monitored computers to determine if the specific
applications are installed.
See About application detection on page 48.
Application detection is preconfigured for the monitor policies that are part of monitor
packs. You can also add detection methods to a monitor policy to meet any additional
application detection needs.
You can choose from several application detection types. Different detection types
let you monitor the specific applications that are the most critical to your operations.
Table 5-1 Application detection types
Description Type
(Windows only)
Checks for the existence of a COMobject. The Class IDand IIDare required to identify
the object.
If you check Always detect as a 32-bit module, applications are only detected if they
run in a 32-bit state.
COM object is registered
(Windows only)
Checks for the presence of a DLL. The name of the DLL is required.
DLL is present
Checks for the existence of a file. The path to the file and the name of the file are
required.
On Windows computers, you can check for the existence of a specific version or
versions. To check for the existence of the file only, in the Condition drop-down list,
click Exists.
To check for a specific product version or versions, choose a logical operator and
specify a product version.
On Linux or UNIX computers, you can only check for the existence of the file.
File exists
Table 5-1 Application detection types (continued)
Description Type
Checks if a package is installed on the monitored computer. On Linux computers, it
checks the availibility of the RPM package. The package name is required.
You can check for the existence of the package or a version of the package. To check
for the existence of the package only, in the Condition drop-down list, click Exists.
To check for a specific version, choose a logical operator and specify a product version.
Package is present
Checks if a process is running. The name of the process is required.
On Linux and UNIX computers, use the long name of the process without path or
arguments. For example, for the /usr/lib/dmi/snmpXdmid -s myhost process,
type snmpXdmid.
Process is running
(Windows only)
Checks for the existence of a registry key. The registry key root and subkey are required.
Registry key exists
(Windows only)
Checks for the existence of a registry key value. The registry key root, subkey , the
name of the value, and value type are required.
You can check for the existence of the value or the existence of a certain key value.
To check for the existence of the value only, in the Condition drop-down list., click
Exists.
To check for a specific key value, choose a logical operator, and then specify a value.
Registry value
(Windows only)
Checks for the existence or running of a service. You need to specify the name of the
service, and whether the name is a display or a binary name. You must also choose
if you want to check for the existence or running of the service.
Service is installed or
running
After you create and configure a monitor policy you can apply the policy to groups
of computers. After a monitor policy is saved and enabled, the policy is applied to
the targeted computers on the next policy refresh. Polices refresh every one hour
by default.
To add a computer to a monitor policy
1 Create or edit a monitor policy.
See Creating monitor policies with the monitor policy
wizard on page 44.
To create a monitor policy
See Configuring monitor policies on page 47. To edit a monitor policy
2 Click Apply to and select one of the following options:
Select Quick apply to choose a list of common groups and targets, select
a target, and click Apply.
Select Computers to open the Select computers dialog box to search for
groups of computers. Use the tool to locate computers, select the computers,
and then click OK.
(Agentless monitor policies only). Select Resources to open the Select
resources dialog box to search for groups of computers and devices. Use
the tool to locate resources, select the resources, and then click OK.
Working with Metrics
About metrics
Creating, cloning or editing metrics
Adding a metric to a rule
About multiple instance metrics
About metrics
Metrics are measurements of the data that Monitor Solution collects from the
computers and devices that you monitor. Metrics are used within rules to pinpoint
problems and define their cause. Metrics define the types of data that you collect,
and the type of data source that you collect it from. Metric data can be log events,
the status of a program, or the status of an operating system component. Metric
sources are the aspects of a computer or application that provides the data.
When Monitor Solution and Monitor packs are installed, they include a number of
predefined metrics.
See Creating, cloning or editing metrics on page 55.
You can create, clone, configure and delete metrics in the rule library. If you want
to configure the metric, it is advised that you clone it, and then configure the cloned
copy.
You can also delete metrics, but note that you cannot delete a metric that other
rules or policies reference.
You can filter metrics by type as well as by reference count. Reference count shows
how many policies use the metric.
There are the following types of metrics:
6
Chapter
Table 6-1
Description Metric type
Agent-based metric types require Monitor Plug-in to be installed
on targeted computers.
Agent-based metric
types
Agentless metric types do not require Monitor Plug-in to be
installed on targeted computers.
Agentless metric types
Agent-based and agentless metric types can be used with or
without Monitor Plug-in installed on target computers.
Agent-based or
agentless metric types
Table 6-2 Agent-based metric types
These metrics use a custom COM DLL or other components
to perform a custom data query.
COM
These metrics parse the results of a command-line utility or
an input file for a particular value, and return the associated
values.
Command
These metrics take the data that one or more existing metrics
collect and manipulate the values.
Compound
These metrics provide a way to performa customdata query. Custom DLL
These metrics monitor the log files. Log event
These metrics collect data from Windows performance
counters, such as CPU utilization, memory usage, disk
swapping time, and processor cache usage.
Performance Counter
These metrics retrieve data from Microsoft SQL Server
databases on Microsoft Windows computers. The SQL Server
database must be on the computer with installed Monitor
Plug-in.
SQL
These metrics monitor currently running Windows processes. Windows Process
These metrics monitor currently running Windows services. Windows Service
54 Working with Metrics
About metrics
Table 6-3 Agentless metric types
Description Metric Type
These metrics aggregate or group data from several metrics
into a single metric.
Group
These metrics remotely monitor the health of a Web (HTTP)
server.
HTTP
These metrics monitor the response time of remote IP
devices.
Ping
These metrics automatically choose the correct protocol and
the correct authentication method to capture the metric data.
Smart
These metrics monitor Web Services for Management
(WS-MAN) properties.
WS-MAN
Table 6-4 Agent-based and agentless metric types
These metrics monitor the communication ports of the
computer and make sure that they are available for use.
Port
These metrics poll attribute values from SNMP-enabled
agents.
SNMP
These metrics monitor various Windows Management
Instrumentation (WMI) numeric properties.
WMI
You can create new metrics in the rule library and edit the existing metrics. It is
recommended to clone the metric before you edit it.
To create, clone or edit metrics
and Alerting.
and then click Metric Library.
3 In the right pane, in the Agent-based and Agentless lists, you can do the
following.
Create a new metric.
In the right pane, on the toolbar, click the New symbol, choose the metric
type and the category, and then type the metric name and the description.
In the NewMetric dialog box, configure the metrics according to your needs,
and then click OK.
Clone an existing metric.
On the Metric Library page, in the metric list, click a metric, and then, on
the toolbar, click the Clone symbol.
In the metric list, click the newly created metric, edit it, and then click OK.
Edit an existing metric.
On the Metric Library page, in the metric list, click a metric that you want
to edit, and then, on the toolbar, click the Edit symbol.
In the Edit Metric dialog box, configure the metric settings according to
your needs, and then click OK.
Warning: If you edit a metric that is referenced in by a rule, the rule is
updated to include the updated metric. If you do not want this to occur, first
create a clone of the metric and then edit the clone.
Metrics return the data that the rules need to evaluate a condition and determine
which actions to take.
To add a metric to a rule
and Alerting.
and then click Rule Library.
3 On the Rule Library page, double-click the rule to which you want to add a
metric.
4 In the Edit Rule dialog box, under Metrics, on the toolbar, click the New
symbol.
5 In the New Metric Evaluation dialog box, specify the metric parameters, and
then click OK.
See About metric evaluation on page 61.
6 In the Edit Rule dialog box, click OK.
Multiple instance metrics can return more than one value in a query. For example,
if you want to monitor disk space usage, there is a disk usage value available for
each of the disks on the computer. With a metric specified as a multiple instance
metric, you can receive values for each of the disks. If the metric is not configured
for multiple instances, then a single value is retrieved for the first instance of the
query.
To configure metrics to use multiple instances, you check Use multiple instances
when you create or edit a metric.
See Creating, cloning or editing metrics on page 55.
The metric types that support multiple instances are as follows:
Compound
Performance Counter
SNMP
SQL
Working with Rules
About rules
Creating, cloning or editing rules
About metric evaluation
About metric and rule aggregation
Using aggregation to monitor potential hard drive issue
About rules
Monitor Solution uses rules within monitor policies to collect and evaluate metric
data. Rules specify what metrics to monitor and how fluctuations in the metric data
value should be interpreted. After a rule is defined and activated, the metric data
is collected from a specified application or operating system.
Rules define the following information:
The metrics that are used to collect data from metric sources.
The acceptable values for metric data.
When the rules are triggered.
The actions that are taken when metric data is in an undesired state or is beyond
a wanted range.
Monitor Solution has different types of rules for different purposes. Rules can be
used to poll metric sources, such as Windows NT events and log events. Some
rules are configured to only collect metric data and nothing else. Other rules both
collect data and evaluate it against predefined acceptable ranges and values. If a
7
Chapter
data value is in an undesirable state or is beyond a wanted range, then the rule is
considered triggered. When a rule triggers, actions can be taken.
The actions that a rule can trigger are defined either within the rule or within the
monitor policy. Actions, such as running a script, can be initiated fromthe monitored
computer. Actions, such as sending an email, can also be run as server-side tasks
from the Notification Server computer.
See About Monitor Solution tasks and actions on page 67.
Agent-based monitor policies support all rule types. Agentless monitor polices only
support the Metric rule types and the Metric Collect rule types.
Table 7-1 Types of rules
Description Rule type
These rules use polled metrics to gather the metric data that
is compared against a predetermined value. If the metric data
reaches a specified value or state, then the rule is triggered.
When rules are triggered, the severity state of the rule
changes, and the actions for that rule are run.
Metric
These rules gather metric data but do not evaluate it. These
rules do not have any associated severity state or actions.
You use this rule type if you want to collect data, but you do
not need the rule to run actions.
Metric Collect
This rule type is based on Windows NT events. Whenever a
Windows NT event occurs on the monitored computer, the
event is evaluated against all the NT event rules. If any of
the rules are triggered, the severity state of the rule changes
and the actions for that rule are run.
NT Event
These rules gather NT event data. The NT Event Collect is
not evaluated but it does not have any associated severity
state or actions. You use this rule type if you want to collect
NT event data, but you do not need the rule to run actions.
NT Event Collect
This rule type is based on log events. When a log event
triggers a rule, the severity state of the rule changes, and the
actions for that rule are run.
Log Event
You can create, clone, configure and delete rules in the rule library. If you want to
configure a rule, Symantec recommends that you clone it, and then configure the
cloned copy.
You can filter rules by type and by reference count. Reference count shows how
many policies use the metric. Multiple monitor policies can reference a single rule.
59 Working with Rules
About rules
If you edit a rule, it is automatically updated in all of the monitor policies that
reference it.
You can create new rules in the rule library and edit the existing rules. It is
recommended to clone the rule before you edit it.
To create, clone or edit rules
and Alerting.
3 In the right pane, in the Agent-based and Agentless lists, you can do the
following.
Create a new rule.
In the right pane, on the toolbar, click the Newsymbol, choose the rule type
and the category, and type the rule name and the description.
Clone an existing rule.
In the right pane, in the rule list, click a rule, and then, on the toolbar, click
the Clone symbol.
In the right pane, click the newly created rule, edit it, and then click OK.
Edit an existing rule.
In the right pane, in the list, click a rule that you want to edit, and then, on
the toolbar, click the Edit symbol.
In the Edit Rule dialog box, configure the rule settings according to your
needs, and then click OK.
See About severity states on page 72.
See Adding tokens to a Send Email task on page 73.
Warning: If you edit a rule that is referenced in a policy, the policy is updated
to include the updated rule. If you do not want this behavior to occur, first
clone the rule and then edit the clone.
Metric evaluation is the assessment of metric data. Metric evaluation lets you
compare the metric data to a pre-determined value or range, or the value of another
metric. If the metric data meets the specified conditions of the rule, then the rule is
triggered. Triggered rules can perform actions such as raising an alert in the Event
Console.
See About Monitor Solution tasks and actions on page 67.
There are different rule types. Not all rule types use metric evaluation. If a rule type
supports metric evaluation, the rule can evaluate the metric data that it gathers. If
a rule type does not support metric evaluation, the rule gathers the metric data but
does not evaluate it.
See About metric and rule aggregation on page 62.
Metric evaluation supports the following metric types:
Log Event
Metric
NT Event
You can add multiple sequences of metric evaluations to a rule using the IF, AND,
and OR operators. The operators determine the logic for the evaluations. The
operators let you create more complex rules and allowfor more accurate evaluations.
With only one metric evaluation, your rule may be more generic, but the operators
allow for a more focused rule.
The evaluation methods that you specify are processed linearly, so that the functions
that you specify evaluate one after the other. For example, if you set up a rule that
stated that:
IF metric evaluation x.
AND metric evaluation y.
OR metric evaluation z.
The evaluation first checks to see if both metric evaluation x and metric evaluation
y are true. If those are both true, then the rule is triggered. If not, then the logic
moves on to check if metric evaluation z is true. If metric evaluation z is true then
the rule is triggered. This set of evaluation methods does not check first to see if:
metric evaluation x is true, and then check to see if metric evaluation y is true or
metric evaluation z is true. The "and" applies to the first step in the evaluation
method.
Note: If multiple evaluations are used, the IF operator is only available for the first
evaluation.
A rule condition can evaluate multiple metrics, for multiple instances at the same
time. Every metric condition instance, which meets the specified value can trigger
a client or server action and raise an alert. This may result in a very large amount
of alerts in the event console.
The complex logic of rule evaluation processes metric values in the following order:
1 A rule evaluation starts when a metric receives a new value. A metric value
may contain data for multiple instances.
2 The received metric values are evaluated against metric condition for every
metric value instance. The goal of this operation is to get True or False value
for each metric instance.
3 a. If aggregation is enabled, then the array of True or False values for each
metric instance is aggregated to one True or False metric evaluation result,
depending on the type of enabled aggregation.
b. If aggregation not enabled, then this step is skipped.

4 a. If the rule contains multiple metric conditions, then they are treated in
the same way, as described in the previous steps, and the logical operators
are applied to metric evaluation results. After this operation is completed,

there is only one True or False rule evaluation result.
b. If aggregation was not enabled in the previous steps, then the logical
operators are applied to the array of metric evaluation results of each
instance, leading to one True or False rule evaluation result for each
instance.
5 a. Rule evaluation result already has one True or False value. Applying an
aggregation to this result does not change it in any way.
b. If the aggregation is enabled at this point, then the array of True or False
rule evaluation results for each instance is aggregated to one True or False
rule evaluation result, depending on the aggregation type.
For every True rule evaluation result, an alert is generated in the Event Console
and an action, defined in the rule, is started. If aggregation is not enabled, an alert
is generated in the Event Console for every True rule evaluation result of every
instance.
There are the following aggregation modes available for aggregating instances
results within metrics and rules conditions:
This mode does not aggregate the evaluation results, meaning
that a metric an alert is generated for every instance.
Do not aggregate
In this mode one alert is generated if a rule is evaluated as True
for all the monitored instances.
Aggregate with all
In this mode one alert is generated if a rule is evaluated as True
for at least one of the monitored instances.
Aggregate with any
Data of the rule condition can be filtered to prevent the false positive evaluations
of the condition. Monitor Solution supports the following filters:
This is a filtering function, which produces True output when input
variable is True at least the specified number of times in a row.
Counter
This is a filtering function, which produces True output when input
variable is True at least the specified number of times within the
specified time period. This filter can only be used in addition to
the Counter filter.
Overtime
Trigger is the two state element of the rule that stores the state information. This
prevents from sending consequent alerts for a rule, which is already triggered. The
rule trigger behaves like a regular flip-flop circuit. Trigger starts the action, when
the rule condition is reached. After that, it stays in a signalled state with no activity,
even if the rule condition is reached again.
You can reset the trigger, so that the corresponding actions are taken the next time
a rule is evaluated as True. There are two modes that control how the trigger state
is reset:
This mode will reset trigger automatically when input variable is
False. After that the trigger will be reset and will again be able to
execute the action specified for the rule.
Updated metric value
In this mode the rule will not react on the condition values after
the action was triggered, until reset manually.
Updated manually
See Using aggregation to monitor potential hard drive issue on page 64.
See Aggregation input-output matrix on page 102.
Using aggregation to monitor potential hard drive
issue
In this example, you will learn how set up rule and metrics aggregation to monitor
two metrics simultaneously.
The goal of this sample task is to monitor free space and input-output per second
for two hard drives and send an alert to the Event Console if any of those conditions
exceeds the specified values for any of the drives.
To achieve this goal, the following business rules have to be followed:
Send an alert to the Event Console, if less than 20% of the disk space is free
on any of the hard drives.
Send an alert to the Event Console, if the number of input-output operations per
second (IOPS) exceeds 100 on any of the hard drives.
To make these business rules work, you have to configure the following rules in
Monitor Solution:
Metric 1: Any instance is evaluated as True if free disk space becomes less
than 20% of its capacity. The instances are aggregated using Any option.
Metric 2: Any instance is evaluated as True if the number of IOPS exceeds 100.
The instances are aggregated using Any option.
The logical operator Or is applied to these metrics within this rule.
See Creating a sample rule with aggregation on page 65.
The rule and metrics evaluation works as follows:
When rule is enabled, Monitor Solution measures the actual values of free disk
space and their IOPS. Metric conditions are evaluated for each instance by matching
the actual values fromthe hard drives with the constant values specified in conditions
for these metrics, generating the Boolean value result of this operation: True or
False. In this example, metric conditions are aggregated using Any option, which
means that the metric condition is evaluated as True, if this evaluation result is True
for at least one monitored hard drive.
Since the metric conditions are combined with operator Or, if the metric evaluation
results is True for at least one of the monitored hard drives, the rule is triggered
and one alert is generated in the Event Console.
Note: To receive a separate alert for each drive, disable the metric condition
aggregation.
Creating a sample rule with aggregation
This topic contains information on how to create a rule with aggregation for an
example, described in the following topic:
To create a sample rule with aggregation, complete the following steps:
To create a sample rule with aggregation
and Alerting.
3 In the right pane, under the Agent-based list, on the toolbar, click New >
Metric.
4 In the New Metric Rule dialog box, type the rule name and the description,
and then click Select Category.
5 In the Select Category dialog box, choose the metric category, and then click
OK.
6 In the New Metric Rule dialog box, under Metrics, click the New symbol.
7 In the New Metric Evaluation dialog box, click Select metric.
8 In the Select Metric dialog box, choose LogicalDisk % Free Space for the
first of the hard drives, and then click OK.
9 In the NewMetric Evaluation dialog box, in the Statistics drop-down list, click
Average, and then specify 60 minutes as the values for the Time period
setting.
10 In the Condition drop-down list, click Is less than, and then specify 20 as the
value for the Time period setting.
11 Check the Aggregate with check-box, select the ANY radial button, and then
click OK.
12 In the New Metric Rule dialog box, under Metrics, click the New symbol.
13 In the NewMetric Evaluation dialog box, in the Operator drop-down list, click
Or.
14 Click Select metric.
15 In the Select Metric dialog box, choose Logical Disk IO/Sec for the first of
the hard drives, and then click OK.
16 In the NewMetric Evaluation dialog box, in the Statistics drop-down list, click
Average, and specify 60 minutes as the values for the Time period setting.
17 In the Condition drop-down list, click Is greater than, and then specify 100
as the value for the Time period setting.
18 Check Aggregate with, select the ANY radial button, and then click OK.
19 Specify other required rule settings, and then click OK.
Working with tasks and
actions
About Monitor Solution tasks and actions
About severity states
Adding tokens to a Send Email task
Adding actions to rules
Adding actions to monitor policies
Monitor client and server token types
In addition to the standard Symantec Management Platform tasks, Monitor packs
include predefined Monitor-specific tasks.
The Monitor task types are as follows:
8
Chapter
Table 8-1 Monitor task types
Description Task type
This task logs the specified NT events events to the
application event log. You can then see the events in the
Event Viewer.
This task contains the following text boxes:
Event Source
This message is displayed in the Event Viewer.
Event Source Name
Event Type
This text box displays the severity level of the event, either
informational, error, or warning.
Category ID
In this text box, you can type a category ID of your choice
or leave it blank. The value you specify for category ID is
displayed in the event information and can be sorted or
searched.
Event ID
In this text box, you can type an event ID of your choice
or leave it blank. The value you specify for event ID is
displayed in the event information and can be sorted or
searched on.
Parameter
This box displays the details of an NT event. When you
type the text in this box, it is always displayed with the
events. If you want to display current Monitor data that is
gathered at runtime, you can enter tokens in this field.
NT Event task
68 Working with tasks and actions
Table 8-1 Monitor task types (continued)
This task logs the events to a UNIX system log. You can see
the events in the syslog file.
The task contains the following boxes:
Indentation
This box displays the string that is prepended to every
message, and is typically set to the program name.
Priority
This list box displays the priority level of the event, either
emergency, alert, critical, error, warning, notice, info, or
debug.
Facility
This is an informational list box that is associated with a
syslog message. The syslog protocol defines it. It is meant
to provide an indication from what part of a system a
message has originated from.
Message
This message displays the details of a syslog event. When
you type text in this box it is always displayed with the
events. If you want to display current Monitor data that is
gathered at runtime, you can enter tokens in this field.
SysLog task
This task performs control operations under specified
processes on client computers. It can terminatea process or
set the priority of a process on a client computer.
For example, you might want to stop notepad.exe fromusing
too many system resources. You can specify the process as
notepad.exe and set the priority for this task to Low. The task
would check for running instances of notepad.exe and save
system resources by setting that process to a lower priority.
With notepad.exe at a lower priority, system resources are
used for higher priority tasks.
The task contains the following boxes:
Command
This list box lets you terminate the process. You can click
Set Priority to adjust the priority level of the process.
Process Name
In this box, you can type the name of the process you
want to terminate or adjust the priority of.
Priority
To enable the Priority drop-down list, in the Command
drop-down list, click Set Priority.
Apply command to all children
If you check this box, the command is applied to all
children. For example, if you run several instances of the
Notepad process from the command line, the command
line (cmd.exe) process is treated as a parent process,
and the Notepad processes are treated as the child
processes. If you do not check this check box, only the
command line process is terminated. Otherwise, the
Notepad processes are also terminated.
Apply command to all instances
If you check this box, the command is applied to all
instances of the process. For example, you can terminate
the Internet Explorer process. If the computer has multiple
instances of Internet Explorer running, all of those
instances are terminated. If you do not check this check
box, only the first discovered instance is terminated.
Process Control task
This task resets the Monitor Plug-in state.
Resetting the Monitor Plug-in state affects Monitor behavior
in the following way:
All of the rules that the plug-in knows about are reset to
a normal severity state.
No rules are triggered.
You may want to run this task if the Notification Server
computer and Monitor Plug-in are not synchronized.
Reset Monitored Resource
This task polls a list of metrics for a monitored resource or
resources. When the task runs, the monitored resource or
resources metrics are polled immediately. You can specify
agent-based or agentless metrics for polling.
Poll metric on demand
You can configure Monitor tasks and actions, run them on demand, or specify a
schedule.
You can run the tasks independently, or add them to rules or policies. You can run
tasks froma task server or you can choose fromseveral Monitor-specific task types.
Adding actions to rules makes the actions more specific by targeting an individual
metric. Adding actions to a policy lets you specify the actions so that they are
executed to respond to multiple sources. The disadvantage in this case is that the
actions may be more general.
When you add actions to a policy, they are assigned a severity state. The actions
are executed when a rule with that same severity that is specified for that policy is
triggered. Within a policy, each severity state can have an action or set of actions
specified for it. For example, you can have rules specified for a policy that have a
Critical severity state. When any of the critical rules are triggered, all of the actions
that are specified for the Critical severity state are executed.
When you add actions to a rule, they are executed when that rule is triggered. Rules
are triggered when monitored metric data reaches a determined value or goes
beyond an acceptable value range. A triggered rule sends an alert, and any actions
or tasks that are specified for that rule are executed.
You can add the same task to multiple rules or policies. Modifying a task in a rule
or policy also changes that task in any other rules or policies that use that task.
You can specify either task server actions or Monitor Plug-in actions for your rules
and policies. Task server actions are run from the task server, and Monitor Plug-in
actions are run fromMonitor Plug-in. Agentless policies can only contain task server
actions.
The advantages of using task server tasks are as follows:
More tokens are available for configuring the tasks than there are for Monitor
Plug-in tasks.
You can create jobs from the task server.
You can easily get history information fromtask server tasks by viewing the task
item.
More task types available than there are for Monitor Plug-in tasks.
The features of Monitor Plug-in tasks are as follows:
Tasks can be run even if the Notification Server computer is not reachable,
which may make Monitor Plug-in tasks very useful for critical tasks.
Not as many task types are available as there are for task server tasks.
Not as many tokens are available for configuring the tasks as there are for task
server tasks.
You can only create client tasks.
You cannot create jobs with Monitor Plug-in tasks.
Each rule has a severity state that is associated with it. The severity state of a
resource reflects the severity level of rules that have been triggered on that resource.
The available severity states, from least severe to most severe, are as follows:
Normal
Undetermined
Informational
Warning
Major
Critical
When a rule is triggered, you can see the severity state of that rule in the Event
Console. The state of the resource is set to the most critical severity level of any
triggered rule. For example, two rules can trigger on a resource, one with a severity
level of Warning and one with a severity level of Major. In that case, the overall
state of the resource is Major. Normal is the base severity state for a rule when a
rule is not triggered.
When you specify a severity setting for a rule, you also choose how the severity is
reset for the rule. When a rule is triggered, the severity for that rule changes, and
an alert is sent to the Event Console. When the metric data returns to an acceptable
value range, the rule needs to be reset.
You can choose to reset a severity level in one of the following ways:
The alert needs to be manually resolved in
the Event Console.
Updated manually
If the metric for the rule crosses back to
acceptable levels, the alert is resolved
automatically.
Updated metric value
This option is only available for NT Event
Rule and Log Event Rule. These types of
rules do not have a threshold, so the updated
metrics cannot reset them. You can set up
these rules so that the triggering of another
rule of the same type can reset them. For
example, an NT Event Rule can reset
another NT Event Rule.
Updated rule value
You can also specify an action or group of actions that runs for each severity state.
When actions are associated with a policy, they are assigned a severity state. The
actions are executed when a rule with that same severity that is specified for that
policy triggers. For example, you can have rules specified for a policy that have a
severity state of Critical. When any of the critical rules are triggered, all of the
actions that are specified for the Critical severity state are executed.
You can add Monitor tokens to a Send Email task. By doing this, you ensure that
you have the events that contain the specific information that you need. In the Send
Email task, you can add tokens to the body of the email or the subject field. Tokens
are included every time the task is executed. You can have the same text appear
when a Send Email task is executed. By adding tokens to a Send Email task, you
can gather monitor information at runtime and display it in the event. Monitor Solution
has a list of the available Monitor tokens that you can add to the tasks.
See Monitor client and server token types on page 77.
To add tokens to a Send Email task
and Alerting.
3 In the right pane, double-click a rule that you want to edit.
You can also create a new rule or add an existing one.
4 In the Edit Rule dialog box, under Actions, on the Task server toolbar, click
the New symbol.
5 In the Create New Task dialog box, in the left pane, scroll down, and click
Send Email, in the right pane, configure the email information, and then click
OK.
6 In the Task Configuration dialog box, click Show tokens, from the list of
tokens, copy the tokens that you need, and then click OK.
7 In the Task Configuration dialog box, click Edit task, in the Send E-mail
dialog box, paste the tokens in the body of the email, click Save changes, and
then close the Send E-mail dialog box.
8 In the Task Configuration dialog box, click OK.
9 In the Edit Rule dialog box, click OK.
Rules are triggered when monitored metric data reaches a determined value or
goes beyond an acceptable value range. When a rule is triggered, an alert is raised,
and the severity state of the monitored resource is changed to the severity setting
of the rule that was triggered.
The severity state that you specify for a rule is reflected in the alert that is sent to
the Event Console.
Metric Collect Rule and Metric Rule interact with actions differently. Metric Collect
Rule collects and forwards data. Metric Rule collects data and then evaluates it
against the values you have specified in the rule. If the evaluation result is true, the
rule is triggered and any actions specified for that rule are executed. Actions cannot
be added to the Metric Collect Rule because this rule type does not support actions.
With Metric Collect Rule, there is nothing to evaluate, so a rule would never be
triggered.
To add actions to rules
and Alerting.
2 In the right pane, under Monitoring and Alerting, expand Monitor > Policies,
3 In the left pane, double-click a rule that you want to edit.
You can also create a new rule or add an existing one.
4 In the Edit Rule dialog box, under Actions, do one of the following:
On the Task server toolbar, click the Add symbol.
In the Select Task dialog box, in the left pane, under System Jobs and
Tasks, choose a task, and then click OK.
Task server tasks are run from the Task Server and can be run only if the
Notification Server computer is reachable.
On the Monitor plug-in toolbar, click the Add symbol.
In the Select Task dialog box, in the left pane, under System Jobs and
Tasks, choose a task, and then click OK.
Monitor Plug-in tasks are run from Monitor Plug-in and can be run even if
the Notification Server computer is not reachable. Monitor Plug-in tasks
can only include client tasks.
5 In the Edit Rule dialog box, under Actions, click the newly added task, on the
toolbar, click the Edit symbol, in the Task Configuration dialog box, configure
the task, and then click OK.
The tasks are run in the order that they are displayed in the table. To change
the task sequence, click a task, and then click the up and down arrows on the
toolbar to place the tasks in the order that you require.
6 Click OK.
When monitored metric data reaches a determined value or goes beyond an
acceptable value range, rules are triggered. A triggered rule sends an alert and
changes the severity state. A task that is assigned a certain severity state is executed
when a rule in the policy with a corresponding severity state is triggered.
To add actions to monitor policies
1 Create or edit a monitor policy.
See Configuring monitor policies on page 47.
2 On the policy page, on the Actions tab, on the toolbar, click a severity state
option.
For each severity type, you can add an associated task or tasks that are
executed when a resource changes to each severity type. For example, if a
rule with a critical severity level is triggered, then all the tasks you specify for
the critical severity level are executed.
3 Choose a task from one or both of the following:
On the Task Server toolbar, click the Add symbol.
Choose a task, and then click OK.
In the Task Configuration dialog box, click OK.
Task server tasks are run from the Task Server, and
can only be run if the Notification Server computer is
reachable.
Task server
On the Monitor plug-in toolbar, click the Add
symbol. Choose a task, and then click OK.
In the Task Configuration dialog box, click OK.
Monitor Plug-in tasks are run from the Monitor Plug-in
and can be run even if the Notification Server computer
is not reachable. Monitor Plug-in tasks can only include
client tasks.
This section is not available for agentless monitor
policies.
Monitor plug-in
Tasks can be run either from the Task Server or locally, if Monitor Plug-in is
installed on the monitored computer. Agentless monitor policies can only run
Task Server tasks.
Repeat this step to add all of the tasks that you require in the policy.
4 On the policy page, on the Actions tab, click the action, on the toolbar, click
Edit, configure the task, and then click OK.
The tasks are run in the order in which they appear in the table. To change the
task sequence, click a task, and then click the up and down arrows to place
the tasks in the required order.
Tokens let you add additional Monitor information to actions. Specifying tokens for
actions allows the notifications that are sent to the Event Console to include
Monitor-specific information in the event. The tokens are replaced with readable
values after the task is executed.
Monitor Plug-in actions can use the following client tokens:
Table 8-2 Monitor Plug-in client tokens
Description Client tokens
The name of the computer with Monitor
Plug-in installed.
MONITOR_AGENT_NAME
The triggered alert on the plug-in that has the
highest severity. The rule state and agent
state are Monitor-specific and may not reflect
the state of the server in the Event Console.
MONITOR_AGENT_STATE
The rule GUID or ID > Source > Category for
Template rules.
MONITOR_ALERT_ID
The category of the triggered rule. MONITOR_CATEGORY_NAME
The time the rule is triggered. MONITOR_EVENT_TIME
This token reflects whether the plug-in is in a
maintenance window. The value is true if the
plug-in is in a maintenance window, false
otherwise.
MONITOR_IN_MAINTENANCE_WINDOW
The installation directory of Monitor Plug-in. MONITOR_INSTALL_DIR
Table 8-2 Monitor Plug-in client tokens (continued)
Description Client tokens
An XML fragment that describes the values
that triggered the rule.
MONITOR_METRIC_INFO
The name of the policy of the triggered rule. MONITOR_POLICY_NAME
The overtime setting for a rule. MONITOR_OVERTIME_VALUE
The GUID of the triggered rule's policy. MONITOR_POLICY_GUID
The previous rule state. The rule state and
plug-in state are Monitor-specific and may
not reflect the state of the server in the Event
Console.
MONITOR_PREV_RULE_STATE
The resource that triggered the rule. MONITOR_RESOURCE_GUID
The GUID of the rule that is triggered. MONITOR_RULE_GUID
The name of the rule that is triggered. MONITOR_RULE_NAME
The severity state of the rule. It is displayed
as Normal if the rule is acknowledged. This
rule state and Plug-in and state is
Monitor-specific and does not reflect the state
of the server in the Event Console.
MONITOR_RULE_STATE
Task server tasks can use all of the client tokens that are listed in the previous
table. They also use the following server tokens:
Table 8-3 Monitor Solution server tokens
Description Server tokens
Displays the XML metric information as HTML
for email tasks.
MONITOR_METRIC_INFO_HTML
The resource GUID of the source computer. MONITOR_SOURCE_GUID
The resource GUID of the target computer. MONITOR_TARGET_GUID
The name of the source computer. MONITOR_SOURCE_NAME
The name of the target computer. MONITOR_TARGET_NAME
The domain name of the source computer. MONITOR_SOURCE_DOMAIN
The domain name of the target computer. MONITOR_TARGET_DOMAIN
Table 8-3 Monitor Solution server tokens (continued)
Description Server tokens
The IP address of the source computer. MONITOR_SOURCE_IP_ADDRESS
The IP address of the target computer. MONITOR_TARGET_IP_ADDRESS
Viewing Monitored Data
About viewing the monitor data
Viewing historical performance data
Viewing real-time performance data
About viewing the monitor data
Monitor Solution lets you view data about your monitored computers in different
reports to ensure that all monitored computers and applications function properly.
You can view the data on the Monitoring and Alerting page or on the Reports
page.
To view monitor data on the Monitoring and Alerting page, in the Symantec
Management Console, on the Home menu, click Monitoring and Alerting.
The Monitoring and Alerting page includes the following Web parts:
Table 9-1 Monitoring and Alerting page Web parts
Description Web part
You use this Web part to enter the name of a computer and run
the performance viewer.
Launch Performance
Viewer
9
Chapter
Table 9-1 Monitoring and Alerting page Web parts (continued)
Description Web part
This Web part shows the monitored resources. The resources are
organized according to severity status. The state of a computer
is the most severe state of any triggered rule on the computer.
For example, if one rule state is warning and another is critical,
the overall state of the computer is critical. If all rule states are
normal, and then one rule state changes to warning, the computer
state is set to warning.
This Web part also shows computers with Monitor Plug-in installed.
You can click a computer, and then, on the toolbar, launch the
Performance Viewer, the Resource Manager, or the Event console.
Monitored Resources
by Status
This Web part shows a list of Monitor Site Servers and their status. Monitor Site Servers
Status
This Web part shows the aggregate health of the devices and
computers in your organizational groups.
Group View -
Aggregate health by
resource
This Web part shows a consolidated view of all alerts that are
raised.
Event Console
To view the data on the Monitoring and Alerting page
and Alerting.
2 In the left pane, under Monitoring and Alerting, expand Monitor > Reports,
and then navigate to the report that you want to view.
To view monitor data on the Reports page
1 In the Symantec Management Console, on the Reports menu, click All
Reports.
2 In the left pane, under Reports, click Monitoring and Alerting, and then
navigate to the report that you want to view.
The historical performance viewer is a component of Monitor Solution that lets you
view historical performance data. Historical data is available from both Monitor
Plug-in and Remote Monitor Server.
81 Viewing Monitored Data
To view historical performance data
> Historical.
2 On the Historical Performance Viewer page, on the toolbar, in the Device
box, type the name of the device, or click the Select resource with historical
data symbol, and then choose a device from the resource list.
3 Specify the time period for which you want to view the data.
The time period that you specified in Fromand To boxes, may contain no data
in the beginning or at the end of the period. In this case, Summarized View
shows only the actual time when the data is available. The empty timeline with
no data in the beginning or at the end of the chart is not displayed.
4 On the toolbar, click Metrics.
5 In the Available Metrics dialog box, specify the metric data that you want to
view, and then click OK.
6 In the Summarized Viewdiagram, drag the mouse across the graph to specify
the range that you want to view.
7 In the Detailed View box, choose a point on the graph.
If available, the data that was last gathered for the selected point is displayed
in Processes, Events, Ports, and Text Data Web parts.
The Metrics Web part displays the average, minimum, and maximum values
for the whole range of data that is displayed in the Detailed View. However,
the Last Value and Last Time columns in the Metrics Web part display the
value for the selected point. If the selected point has no value, these columns
display the value that precedes this point. If no value is available for the metric
in the Detailed View, the Last Value and Last Time columns are left blank in
the Metrics Web part.
The Performance Viewer is a component of Monitor Solution that lets you view
real-time performance data. Performance data is available fromboth Monitor Plug-in
and Remote Monitor Server.
To view real-time performance data
> Real-time.
2 On the Real-time Performance Viewer page, on the toolbar, in the Device
box, type the name of the device, or click the Select resource with historical
data symbol, and then choose a device from the resource list.
3 In the Registered Metrics dialog box, check the metric data that you want to
monitor, and then click OK.
The performance viewer begins monitoring the computer and displays the
following information:
This section displays graphical performance data. The data
is scaled to fit within the limits of the graph. If you place the
mouse pointer over a point on a graph line, the monitored
metric data is displayed next to the mouse pointer. If you
monitor multiple instance metrics, each instance has a
separate graph line. You can use the Select Metrics option
to monitor different metrics.
Graph
This section displays all numeric metric data that is monitored. Metrics
This section displays the processes that are currently running
on a monitored computer.
Processes
This section displays all Windows NT event data. Events
This section displays the status of the monitored ports on the
computer.
Ports
This section displays the retrieved text data for command,
custom DLL, custom COM object, WS-MAN, SNMP, SQL,
and string-type Windows Management Instrumentation (WMI)
metrics. The predefined WMI metrics are the only metrics
that collect this type of data. If you create or use a custom
DLL, COM object, SNMP, or command metric that retrieves
this data, it is also displayed in this section.
Text Data
See Viewing historical performance data on page 81.
Using alert management
About alerts
About alert management
About Event Console alert filters
Configuring alert filter settings
Adding new alert filters
Hiding resolved alerts
Configuring alert rule settings
Creating an alert matching rule
Adding or editing rules to discard alerts
Forwarding alerts to another management system
Running a task in response to an alert
About Event Console tokens
Configuring workflow rules
Configuring alert purging settings
Viewing alerts by network location
Viewing the health of an organizational group
Creating and editing Event Console tasks
10
Chapter
About alerts
Alerts are the status messages that contain information about device or network
health. Status messages are generated using standard monitoring protocols, such
as SNMP.
Each status message that is received is converted into a common format that is
called an alert. During conversion, alerts are associated with the affected resource
in the CMDB and are assigned a severity and a status. Severity ranges fromnormal
to critical, and alert status can be new, acknowledged, or resolved.
Alerts from multiple protocols are displayed using common severity and status. All
received alerts are displayed in the Event Console.
See About Event Console alert filters on page 86.
About alert management
Alert management shows a consolidated viewof device health across your network.
You can viewhealth by network layout, organizational group, or by directly monitoring
the list of received alerts in the Event Console.
The Event Console reduces the need to maintain separate tools to monitor different
devices. The Event Console collects SNMP traps and other status messages and
displays them in a single location. All status messages are converted to a common
format that links each received message to the affected resource in the Configuration
Management Database (CMDB). These formatted messages are called alerts.
See About alerts on page 85.
Advanced search features let you quickly find specific alerts or groups of alerts.
The Event Console also provides a rule-based triggering systemthat lets you create
alert matching rules to process alerts in the following ways:
Discard specific alerts from the database.
See Adding or editing rules to discard alerts on page 91.
Forward alerts to another management system.
See Forwarding alerts to another management system on page 91.
Execute task server tasks in response to specific alerts.
See Running a task in response to an alert on page 92.
Initiate a workflow in response to specific alerts.
See Creating an alert matching rule on page 90.
85 Using alert management
About alerts
Note: If the Notification Server computers and the SQL Server computers are not
set to the same time and the same time zone, then any alerts that have occurred
in the past few hours are not displayed in the Event Console.See Adding new alert
filters on page 88.
The Event Console in Symantec Management Platform displays alerts in a grid
layout. Alert filters let you sort the alerts so that you can analyze and manage them.
To view the alerts, in the Symantec Management Console, on the Manage menu,
click Events and Alerts.
The Event Console contains several rule types that represent automated,
event-based actions. The rule types include discarding, forwarding, task, and
workflowrules. Discarding rules filter and discard matching alerts. Forwarding rules
forward a Simple Network Management Protocol (SNMP) trap to a downstream
listener. Task rules initiate Symantec Management Platform task server tasks. An
event can automatically start a workflow process. This workflow process can pass
along valuable event data.
The advanced filter function lets you use advanced filters to manage alerts.
To filter the alerts, on the Event Console page, in the Select a filter drop-down
list, click an alert type.
The color-coded status bar lets you see the number of alerts by severity level, as
follows:
Undetermined Violet
Informational Blue
Warning Yellow
Major Orange
Critical Red
Normal Green
To view the information about a specific alert type, on the Event Console page,
click the colour section of the status bar, and the grid view below changes. It shows
only those alerts that match the severity level of the color that you clicked. For
example, if you click yellowon the status bar, then the grid shows alerts with severity
Warning. After you filter by severity level, in the Select a filter drop-down list, you
can you can clear the selection to see the complete list of alerts again.
The toolbar on the Event Console page displays the following symbols:
Opens the Alert Details dialog box for the
chosen alert.
Details
Lets you acknowledge a chosen alert. In the
State column, a blue flag indicates an
acknowledged alert.
Acknowledge
Flags the chosen alert with a check mark in
the State column.
When you right-click a resolved alert, you can
view alert details. You can also view the
available rules for discarding the alert or open
the Resource Manager in a new window.
If you click Discarding Rules with a resolved
alert selected, you can create a global discard
filter rule or create a resource discard filter
rule.
Resolve
When you click an alert, and then on the
toolbar, click the Actions symbol, you see
the options that you see when you right-click
a resolved alert.
Actions
When you click an alert, you can manage it by changing its severity to any of the
following:
Undetermined
Informational
Warning
Major
Critical
Normal
On the Alert Filter Settings page, you can create and configure filters. To access
this page, on the toolbar, click the symbol.
See Configuring alert filter settings on page 88.
See Adding new alert filters on page 88.
You can type the custom search criteria in the Search box, on the toolbar.
When you click a different filter in the drop-down list, the grid view displays the
alerts that pertain to the selected filter. You can click any other control on the page,
except Refresh, and the filter that you chose remains active.
You can add new filters with specific alert filter conditions, edit existing filters, or
delete filters.
To configure alert filter settings, do the following:
To configure alert filter settings
Settings.
2 In the left pane, under Settings, expand Monitoring and Alerting, and then
click Alert Filter Settings.
When you add, edit, and delete alert filters, you may also need to work with alert
rules.
See Configuring alert rule settings on page 89.
Adding new alert filters
You can add new alert filters to the list in the Event Console.
To add new alert filters
1 In the Symantec Management Console, on the Manage menu, click Events
and Alerts.
2 On the Event Console page, on the toolbar, click the Go to Alert Filter
Settings page to manage filters symbol.
3 In the Alert Filter Settings dialog box, on the toolbar, click Add.
4 In the right pane, click the default filter name, and then type a unique descriptive
name.
5 In the right pane, under the filter name, click New filter description, and then
type the description of the filter.
6 In the right pane, under Filter Condition, on the toolbar, click Add to add
multiple conditions for a single filter to evaluate.
7 Enable the alert.
In the upper right corner, click the colored circle, and then click On.
8 Click Save.
Hidden resolved alerts are not displayed on the Event Console alert grid. They
remain in the alert database until they are purged.
To hide resolved alerts
Settings.
click Event Console Settings.
3 On the Event Console Settings page, specify the time for resolved alerts to
remain visible in Event Console. After this interval, the resolved alerts are
hidden automatically.
Configuring alert rule settings
You can create rules that discard or forward alerts. You can also create some task
rules and rules for initiating workflow tasks.
To configure alert filter settings
To configure alert rule settings
Settings.
click Alert Rule Settings.
The available tabs on this page are as follows:
Discarding Rules
Forwarding Rules
Task Rules
Workflow Rules
Alert matching rules contain conditions, such as alert type or date received, to
identify specific alerts as the Event Console receives them. These rules are used
when you discard or forward alerts, execute tasks, or initiate a workflow.
See Forwarding alerts to another management system on page 91.
You can match alerts by type, severity, affected resource, and many other criteria.
To create an alert matching rule
1 In Symantec Management Console, on the Settings menu, click All Settings.
3 On the Alert Rule Settings page, click the tab that corresponds to the type of
rule you want to create.
4 On the toolbar, click Add.
5 In the right pane, click the default rule name, and then type a unique name for
the rule.
6 Under the rule name, click the rule description, and then type the description
for the new rule.
7 On the Alert Rule Settings page, in the right pane, under Rule, on the toolbar,
click Add, and then click the criteria for the conditions.
You can re-order conditions and move them up and down or left and right to
create nested evaluations. During evaluation, nested evaluations are performed
first.
8 (Optional) If you create a new workflow rule, define the workflow to run when
a matching alert is received.
9 Enable the rule.
10 Cick Save.
You may need to delete incoming or duplicate alerts. You can create an alert
matching rule to discard the alerts that meet your criteria. These alerts are removed
as soon as they are received and are not imported into the Configuration
Management Database.
To optimize performance of the platform and Notification Server, you should create
discard rules to remove redundant alerts. You can configure multiple conditions for
the incoming alerts that the system should discard.
Filtered alerts are not stored in the alert database, and are unavailable when reports
are generated. If you want to store alerts but do not want to display them in the
Event Console, hide them instead.
See Hiding resolved alerts on page 89.
To add or edit a rule to discard an alert
Settings.
3 On the Alert Rule Settings page, on the Discarding Rules tab, on the toolbar,
click Add.
4 In the right pane, under Rule, define the matching conditions and the workflow
to run when a matching alert is received.
5 Enable the rule.
6 Click Save.
Forwarding alerts to another management system
Alerts can be forwarded as SNMP traps to other management systems.
To forward alerts to another management system
Settings.
3 On the Alert Rule Settings page, click the Forwarding Rules tab, and then,
on the toolbar, click Add.
4 In the right pane, define the matching conditions, and add the IP address or
host name of the management system where the alerts that match the rule
should be forwarded.
5 Enable the rule.
6 Click Save.
Event console can perform a task server task in response to a received alert.
A single alert can trigger multiple, independent tasks. If you need to performmultiple
tasks in order, you can combine these tasks into a job.
Settings.
3 On the Alert Rule Settings page, click the Task Rules tab, and then, on the
toolbar, click Add.
4 On the Alert Rule Settings page, in the right pane, configure the newly created
rule.
You can create a new task, or use an existing one.
5 Enable the rule.
6 Click Save.
Event Console tokens provide information when a task is executed in response to
a received alert. When a task is executed, the Event Console tokens are replaced
with readable values.
Note: Every solution has specific tokens that you can use to create a task for that
solution. However, Event Console only resolves tokens to readable values in
response to alerts from the tasks that were created using Event Console tokens.
For example, if you have a Monitor task that was created using Monitor tokens, you
can assign it to Event Console. However, when Event Console receives an alert
from that task, it cannot translate the tokens or generate readable values. Instead,
the Monitor token returns its literal value rather than a readable value.
Table 10-1 Readable values that are associated with the Event Console tokens
Description Event Console tokens
The GUID of the alert category. %!ALERTCATEGORYGUID!%
The GUID of the alert definition. %!ALERTDEFINITIONGUID!%
The GUID of the alert. %!ALERTGUID!%
The host name or IP address of the resource
that raised the alert.
%!ALERTHOSTNAME!%
The message text of the alert. %!ALERTMESSAGE!%
The GUID of the product (in the case of a
solution) that raised the alert.
%!ALERTPRODUCTGUID!%
The GUID of the protocol that raised the alert. %!ALERTPROTOCOLGUID!%
The GUID of the NS resource that raised the
alert.
%!ALERTRESOURCEGUID!%
Table 10-1 Readable values that are associated with the Event Console tokens
(continued)
Description Event Console tokens
The enumeration value which represents the
severity of the alert.
Critical = 50
Major = 40
Warning = 30
Informational = 20
Undetermined = 10
Normal = 0
%!ALERTSEVERITYLEVEL!%
The date and time the alert was raised. %!ALERTTIMESTAMP!%
The variable name. Each variable fromthe alert
is passed where "variable_name" is the name
of the variable and the value is the variable
value string.
%!ALERTVARIABLE!%
Event Console provides a complete list of available, deployed workflows, and
specifies which workflow entry points are designed to be launched by process.
Workflow rules let you forward received alerts into a deployed workflow. All
information about alerts and their variables is passed into the workflow.
You can enable and disable, edit or delete existing workflow rules, or create new
ones.
The Event Console Workflow Rules tab offers the following rule conditions:
Table 10-2 Workflow rule conditions
Description Condition
The event category.
This field lets Event Console determine if a workflow rule calls the
entry point, by design. Once complete, only the rules that are in
the Process Start category appear in the workflow selection
drop-down list.
Category
Table 10-2 Workflow rule conditions (continued)
Description Condition
The number of deduplicated alerts received (within a period of
time).
Count
The date on which the event occurred. Date
The day of the week on which the event occurred. Day of week
The specific event type name. Definition
The name or IP address of the resource. Host name
The event description text. Message
The event-reporting product source. Product
The protocol that is used to report the event. Protocol
The managed or unmanaged resource. Resource
The resource belonging to a specified group. Resource target
The severity level of the event. Severity
The time of day at which the event occurred. Time of day
All name data pairs or value data pairs that are provided in the
event details.
Alert variable
To configure workflow rules
Settings.
See Configuring alert rule settings on page 89.
3 On the Alert Rule Settings page, click the Workflow Rules tab, and then, on
the toolbar, click Add to create a new alert matching rule.
4 In the right pane, under Rule, on the toolbar, click Add to create a new rule,
or click a rule that you want to edit.
5 In the right pane, under Rule, define the matching conditions for a new rule,
or edit the conditions for an existing rule.
Define the workflow to run when a matching alert is received.
6 Enable the rule.
7 Click Save.
Alert purging is a feature of Event Console that removes alerts from the database.
Age-based purging removes all alerts that are older than the specified number of
days, which is calculated in 24-hour periods from the current time. Age-based
purging removes old alerts regardless of their status or severity.
Alert purging also lets you remove a selected number of stored alerts and offers
the enhanced function of purging unresolved alerts.
Target-number purging decreases the number of stored alerts by prioritizing the
alerts that are based on age, status, and severity. When a target-number purge
occurs, all resolved alerts that are older than the purge age are deleted first, from
the least to the most severe. As soon as the number of stored alerts is less than
the threshold, purging stops.
The unresolved alerts are not purged by default. If the threshold has not been
reached when the purging is complete and you have unchecked Do not purge
unresolved alerts, unresolved alerts begin auto-resolving. Auto-resolved alerts
are purged. If you checko Do not purge unresolved alerts, then the purging is
completed even if the threshold has not been met.
This purging process continues on the alerts that are newer than the specified purge
age. Purging continues as long as needed to bring the number of alerts to less than
the threshold. The system purges alerts by severity. Purging occurs in groups, not
individually.
To remove all the alerts from your database, you first uncheck Do not purge
unresolved alerts. Then, you either set the target number of alerts to purge to zero
(0) or set the age to zero days old for purging.
You should purge alerts periodically to maintain database performance.
To configure alert purging settings
Settings.
click Event Console Purging Maintenance.
3 On the Event Console Purging Maintenance page, check and configure the
purge method that you want to use.
The topology viewer in Symantec Management Console provides a visual
representation of your network layout. Each resource in the topology viewer displays
an aggregate health status that is based on the highest severity alert. This health
status lets you viewdifferent segments of your network and track the health of each
device on that segment.
The topology viewer is installed as part of Server Management Suite.
To view alerts by network location
1 In Symantec Management Console, on the Home menu, click Server
Management Suite Portal.
2 On the Server Management Portal page, navigate to the Topology View -
Layer 2 network topology data Web part.
3 On the toolbar, click Select device, and then choose the device to view the
network topology for.
Viewing the health of an organizational group
The group view in Symantec Management Console shows the aggregate health of
the devices and computers in your organizational groups. If a device is not managed,
alerts are not included when group health is displayed.
The group view is installed as part of Server Management Suite.
To view the health of an organizational group
1 In Symantec Management Console, on the Home menu, click Server
Management Suite Portal.
2 On the Server Management Portal page, navigate to the Group View -
Aggregate health by resource Web part.
3 On the toolbar, in the Select Group drop-down list, choose a group of
resources.
You can create, modify, and delete Event Console tasks from a single location.
To create and edit Event Console tasks
1 In Symantec Management Console, on the Manage menu, click Jobs and
Tasks.
2 In the left pane, under Jobs and Tasks, expand System Jobs and Tasks >
Monitoring and Alerting, right-click Event Console Tasks, and then click
New > Task.
3 In the Create New Task dialog box, in the left pane, under Monitoring and
Alerting, expand Event Console.
Here, you can create the following tasks:
Change Alert Status Task.
Create Resource Task.
Event Console Purge Policy Task.
Raise Message Task.
Reprioritize Alert Task.
A
agent-based monitor policies
editing 47
agent-based monitoring
preparing computers 28
agentless monitoring 11
about 35
agentless-based monitoring
network discovery 36
Alert Filter Settings page 88
alert filters
creating 88
saving 88
alert management
about 85
alert matching rule
creating 90
Alert Rule Settings page 89
alerts
about 85
forwarding 91
forwarding to another management system 91
running a task 92
viewing 97
application detection
about 48
application detection types 50
C
client tokens
types 77
context-sensitive help 16
D
database maintenance
about 21
documentation 16
E
Event Console
token types 93
Event Console alert filters
about 86
Event Console tasks
working 98
Event Console tokens
about 93
types 93
H
heartbeat
about 23
heartbeat settings
setting up 24
help
context-sensitive 16
historical performance data
viewing 81
historical performance viewer 11
I
import policy
creating 20
M
metric evaluation
about 61
metrics
about 53
creating 55
editing 55
monitor actions
about 67
Monitor Pack for Servers
about 14
monitor packs 14
monitor policies 14
Index
monitor packs 11, 14
importing 20
Monitor Plug-in 11
about 26
configuration policies 33
configuring settings 33
creating settings 32
installing 29
policies 26
profiling 27
uninstalling 31
upgrading 30
Monitor Plug-in settings
configuring 33
creating 32
monitor policies 11
about 27
adding actions 75
adding application detection 48
adding computers 51
adding rules 47
creating 46
creating with the wizard 44
monitor server
configuring 19
preparing 19
monitor server's heartbeat settings
setting up 24
monitor service
about 36
adding to a site server 41
removing from a site server 40
monitor site server
configuring settings 42
reports 43
Monitor Solution
about 10
components 11
monitor tasks
about 67
Monitoring and Alerting
home page 80
Monitoring and Alerting home page
about 80
multiple instance metrics
about 57
O
organizational group
viewing health 97
P
performance data
maintaining 22
Pluggable Protocols Architecture
installing 39
PPA. See Pluggable Protocols Architecture
purging alerts
about 96
R
real-time performance data
viewing 82
real-time performance viewer 11
Release Notes 16
Remote Monitoring Server
configuring 42
remote monitoring site server
setting up 37
resolved alerts
hiding 89
rules
about 58
adding actions 74
adding metric 56
creating 60
editing 60
rules to discard alerts
adding 91
editing 91
S
Send Email task
adding tokens 73
server tokens
types 77
severity states
about 72
W
workflow rule configuration
about 94
workflow rules
adding 94
100 Index
workflow rules (continued)
configuration 94
editing 94
101 Index
Aggregation input-output
matrix
This appendix includes the following topics:
Aggregation input-output matrix
A rule condition can evaluate multiple metrics, for multiple instances at the same
time. Every metric condition instance, which meets the specified value can trigger
a client or server action and raise an alert.
The tables below lists the outcomes for all the possible input aggregation settings.
The combinations of input aggregation settings are as follows:
Rule aggregation using Or operator with disabled metric aggregation.
See Table A-1 on page 103.
Rule aggregation using And operator with disabled metric aggregation.
Rule aggregation using And operator with enabled metric aggregation.
Rule aggregation using Or operator with enabled metric aggregation.
A
Appendix
Table A-1 Rule aggregationusing Or operator withdisabledmetric aggregation
Evaluation result
Rule
Metric
2
Metric
1
Metric 2 Metric 1
Instance 2 Instance
1
Instance 2 Instance 1 Instance 2 Instance
1
False False Or No No 0 0 0 0
True False Or No No 1 0 0 0
False True Or No No 0 1 0 0
True True Or No No 1 1 0 0
Table A-2 Rule aggregation using And operator with disabled metric
aggregation
Evaluation result Rule Metric
2
Metric
1
Metric 2 Metric 1
Instance 2 Instance
1
1
False False And No No 0 0 0 0
103 Aggregation input-output matrix
Table A-2 Rule aggregation using And operator with disabled metric
aggregation (continued)
Evaluation result Rule Metric
2
Metric
1
Metric 2 Metric 1
Instance 2 Instance
1
1
True False And No No 1 0 1 0
False True And No No 0 1 0 1
True True And No No 1 1 1 1
Table A-3 Rule aggregation using And operator with enabled metric
aggregation
Evaluation
result
Rule Metric 2 Metric 1 Metric 2 Metric 1
1
False And All Any 0 0 0 0
Table A-3 Rule aggregation using And operator with enabled metric
aggregation (continued)
Evaluation
result
1
True And All Any 1 1 1 0
Table A-4 Rule aggregation using Or operator with enabled metric aggregation
Evaluation
result
1
False Or Any All 0 0 0 0
True Or Any All 1 0 0 0
Table A-4 Rule aggregation using Or operator with enabled metric aggregation
(continued)
Evaluation
result
1
AltirisMonitor Solutionfor
Servers 7.5 Symantec
Third-Party Legal Notices
This appendix includes the following topics:
Third-Party Legal Attributions
Expat XML Parser v2.0.1
Net-SNMP v 5.4.1
RegExp
Third-Party Legal Attributions
This Symantec product may contain third party software for which Symantec is
required to provide attribution (Third Party Programs). Some of the Third Party
Programs are available under open source or free software licenses. The License
Agreement accompanying the Software does not alter any rights or obligations you
may have under those open source or free software licenses. This appendix contains
proprietary notices for the Third Party Programs and the licenses for the Third Party
Programs, where applicable.
Expat XML Parser v2.0.1
Copyright (c) Fabasoft R&DSoftware GmbH& Co KG, 2003 Copyright 1989, 1991,
1992 by Carnegie Mellon University Derivative Work - 1996, 1998-2000 Copyright
1996, 1998-2000 The Regents of the University of California. All Rights Reserved
Copyright (c) 2001-2003, Networks Associates Technology, Inc. All rights reserved.
B
Appendix
MIT License
This code is licensed under the license terms below, granted by the copyright holder
listed above. The term copyright holder in the license below means the copyright
holder listed above.
Copyright (c) <year> <copyright holders>
Permission is hereby granted, free of charge, to any person obtaining a copy of this
software and associated documentation files (the "Software"), to deal in the Software
without restriction, including without limitation the rights to use, copy, modify, merge,
publish, distribute, sublicense, and/or sell copies of the Software, and to permit
persons to whom the Software is furnished to do so, subject to the following
conditions:
The above copyright notice and this permission notice shall be included in all copies
or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDINGBUT NOT LIMITEDTOTHE WARRANTIES
OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
OTHER DEALINGS IN THE SOFTWARE.
Net-SNMP v 5.4.1
Copyright 1989, 1991, 1992 by Carnegie Mellon University
Derivative Work - 1996, 1998-2000
Copyright 1996, 1998-2000 The Regents of the University of California
All Rights Reserved
Copyright (c) 2001-2003, Networks Associates Technology, Inc
All rights reserved.
Portions of this code are copyright (c) 2001-2003, Cambridge Broadband Ltd.
Copyright 2003 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
California 95054, U.S.A. All rights reserved.
Copyright (c) 2003-2008, Sparta, Inc
108 Altiris Monitor Solution for Servers 7.5 Symantec Third-Party Legal Notices
Net-SNMP v 5.4.1
Copyright (c) 2004, Cisco, Inc and Information Network Center of Beijing University
of Posts and Telecommunications.
Copyright (c) Fabasoft R&D Software GmbH & Co KG, 2003
[email protected]
Author: Bernhard Penz [[email protected]]
Various copyrights apply to this package, listed in various separate parts below.
Please make sure that you read all the parts.
---- Part 1: CMU/UCD copyright notice: (BSD like) -----
Copyright 1989, 1991, 1992 by Carnegie Mellon University
Derivative Work - 1996, 1998-2000
Copyright 1996, 1998-2000 The Regents of the University of California
All Rights Reserved
Permission to use, copy, modify and distribute this software and its documentation
for any purpose and without fee is hereby granted, provided that the above copyright
notice appears in all copies and that both that copyright notice and this permission
notice appear in supporting documentation, and that the name of CMU and The
Regents of the University of California not be used in advertising or publicity
pertaining to distribution of the software without specific written permission.
CMU AND THE REGENTS OF THE UNIVERSITY OF CALIFORNIA DISCLAIM
ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT
SHALL CMU OR THE REGENTS OF THE UNIVERSITY OF CALIFORNIA BE
LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR
ANY DAMAGES WHATSOEVER RESULTING FROM THE LOSS OF USE, DATA
OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
OTHERTORTIOUSACTION, ARISINGOUT OF ORINCONNECTIONWITHTHE
USE OR PERFORMANCE OF THIS SOFTWARE.
---- Part 2: Networks Associates Technology, Inc copyright notice (BSD) -----
Copyright (c) 2001-2003, Networks Associates Technology, Inc
Redistribution and use in source and binary forms, with or without modification, are
permitted provided that the following conditions are met:
Redistributions of source code must retain the above copyright notice, this list
of conditions and the following disclaimer.
Net-SNMP v 5.4.1
Redistributions in binary form must reproduce the above copyright notice, this
list of conditions and the following disclaimer in the documentation and/or other
materials provided with the distribution.
Neither the name of the Networks Associates Technology, Inc nor the names
of its contributors may be used to endorse or promote products derived from
this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSSOFUSE, DATA, ORPROFITS; ORBUSINESSINTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
---- Part 3: Cambridge Broadband Ltd. copyright notice (BSD) -----
Portions of this code are copyright (c) 2001-2003, Cambridge Broadband Ltd.
The name of Cambridge Broadband Ltd. may not be used to endorse or promote
products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT HOLDER BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
Net-SNMP v 5.4.1
---- Part 4: Sun Microsystems, Inc. copyright notice (BSD) -----
Copyright 2003 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
California 95054, U.S.A. All rights reserved.
Use is subject to license terms below.
This distribution may include materials developed by third parties.
Sun, Sun Microsystems, the Sun logo and Solaris are trademarks or registered
trademarks of Sun Microsystems, Inc. in the U.S. and other countries.
Neither the name of the Sun Microsystems, Inc. nor the names of its contributors
may be used to endorse or promote products derived from this software without
specific prior written permission.
---- Part 5: Sparta, Inc copyright notice (BSD) -----
Copyright (c) 2003-2008, Sparta, Inc
Net-SNMP v 5.4.1
Neither the name of Sparta, Inc nor the names of its contributors may be used
to endorse or promote products derived from this software without specific prior
written permission.
---- Part 6: Cisco/BUPTNIC copyright notice (BSD) -----
Copyright (c) 2004, Cisco, Inc and Information Network Center of Beijing University
of Posts and Telecommunications.
Neither the name of Cisco, Inc, Beijing University of Posts and
Telecommunications, nor the names of their contributors may be used to endorse
or promote products derived from this software without specific prior written
permission.
Net-SNMP v 5.4.1
---- Part 7: Fabasoft R&D Software GmbH & Co KG copyright notice (BSD) -----
Copyright (c) Fabasoft R&D Software GmbH & Co KG, 2003
[email protected]
Author: Bernhard Penz [email protected]
The name of Fabasoft R&D Software GmbH & Co KG or any of its subsidiaries,
brand or product names may not be used to endorse or promote products derived
from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT HOLDER BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
Net-SNMP v 5.4.1
RegExp
Copyright (c) 1986 by University of Toronto. Written by Henry Spencer. Not derived
from licensed software.
RegExp License
// In case this isn't obvious from the later comments this is an ALTERED
// version of the software. If you like my changes then cool, but nearly
// all of the functionality here is derived from Henry Spencer's original
// work.
//
// This code should work correctly under both _SBCS and _UNICODE, I did
// start working on making it work with _MBCS but gave up after a while
// since I don't need this particular port and it's not going to be as
// straight forward as the other two.
//
// used everywhere. Certainly it's doable, but it's a pain.
// What's worse is that the current code will compile and run under _MBCS,
// only breaking when it gets wide characters thrown against it.
//
// I've marked at least one bit of code with #pragma messages, I may not
// get all of them, but they should be a start
//
// Guy Gascoigne - Piggford ([email protected]) Friday, February 27, 1998
// regcomp and regexec -- regsub and regerror are elsewhere
// @(#)regexp.c 1.3 of 18 April 87
//
// Copyright (c) 1986 by University of Toronto.
// Written by Henry Spencer. Not derived from licensed software.
// Permission is granted to anyone to use this software for any
// purpose on any computer system, and to redistribute it freely,
// subject to the following restrictions:
RegExp
//
// 1. The author is not responsible for the consequences of use of
// this software, no matter how awful, even if they arise
// from defects in it.
//
// 2. The origin of this software must not be misrepresented, either
// by explicit claim or by omission.
//
// 3. Altered versions must be plainly marked as such, and must not
// be misrepresented as being the original software.
// *** THIS IS AN ALTERED VERSION. It was altered by John Gilmore,
// *** hoptoad!gnu, on 27 Dec 1986, to add and for word-matching
// *** as in BSD grep and ex.
// *** THIS IS AN ALTERED VERSION. It was altered by John Gilmore,
// *** hoptoad!gnu, on 28 Dec 1986, to optimize characters quoted with \.
// *** THIS IS AN ALTERED VERSION. It was altered by James A. Woods,
// *** ames!jaw, on 19 June 1987, to quash a regcomp() redundancy.
// *** THIS IS AN ALTERED VERSION. It was altered by Geoffrey Noer,
// *** THIS IS AN ALTERED VERSION. It was altered by Guy Gascoigne - Piggford
// *** [email protected], on 15 March 1998, porting it to C++ and converting
// *** it to be the engine for the CRegexp class
//
// Beware that some of this code is subtly aware of the way operator
// precedence is structured in regular expressions. Serious changes in
// regular-expression syntax might require a total rethink.
RegExp

MonitorSolution User Guide

Uploaded by

Copyright:

Available Formats

MonitorSolution User Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

MonitorSolution User Guide

Uploaded by

Copyright:

Available Formats

Altiris Monitor Solution for

Servers 7.5 fromSymantec

b. If aggregation not enabled, then this step is skipped.

are applied to metric evaluation results. After this operation is completed,

You might also like