The purpose of the threshold filter is to do one thing: Write an event to the event log when a configurable number of events occur during a specified time period.
NTBackup will log two events to the event log for each logical/network drive (e.g. C:) and logical entity (e.g. System State) it backs up. One event indicating that the backup started, and one event indicating that the backup ended (if it did, that is).
Action |
Event Log |
Event Type |
Event Source |
Event ID |
Message Text |
Backup Start |
Application |
Information |
NTBackup |
8000 |
Begin Backup of '\\SERVER\SHARE' Verify: Off Mode: Append Type: Normal |
Backup End |
Application |
Information |
NTBackup |
8001 |
End Backup of '\\SERVER\SHARE' Verify: Off Mode: Append Type: Normal |
In our scenario we are only interested in knowing that the backup of each "entity" was successful, as such the 8001 event. Since we are backing up three different entities we are looking to find three events that match the above criteria of event 8001.
In the management application, expand the Filter Packages node, right-click the Backup filter package and select Add Filter. Assign the filter a descriptive name, such as "Daily Backup Threshold" and hit ENTER.
Configure the general filter settings as shown in the screenshot below:
Figure 10
When you are done, click the Threshold tab to configure the threshold options. In our scenario we are assuming that our backup will take no longer than 6 hours, but you might have to adjust that period if your backup takes longer or significantly shorter:
Figure 11
So what are these threshold settings doing? If this filter finds at least 3 events that match the criteria specified above, then it will write the following event to the event log:
Figure 12
Should our backup produce more than three events in 6 hours, then the events themselves will be forwarded to the email notification specified in figure 10. This is useful when the backup is changed (e.g. an additional drive is monitored) since it can act as a reminder that you need to change the threshold filter and increase the count. Please note that the threshold filter that triggered the event in figure 12 was configured for 6 entries in 12 hours, not 3 entries in 6 hours.
So, ideally this threshold filter will never actually forward events to a target (unlike regular filters), but only count events based on our settings.
Our last step will be to create a recurring event filter that will log an error to the event log if our threshold event (10602) is not written to the event log, indicating that not enough "backup successfully ended" events were written to the event log.