Starting with version 2.50 of EventSentry you can now be notified if a certain event does not occur during a specified time frame. As such, you can be notified if a successful backup event has not been written to the event log during a certain time frame.
Since a successful Windows backup usually consists of more than one NTBackup event record being written, we will need to use the threshold feature in addition to the recurring event feature.
Scenario
A Windows Backup job is setup to backup 4 network drives, starting at 11pm. This backup job usually takes between 2 and 4 hours. During this time, 4 informational messages with event id xxxx are written to the Application event log.
Goal
We need to be notified by email when less than 4 of the backup jobs are being written to the event log, indicating that one or more jobs failed.
Approach
| 1. | Add a SMTP target (if we don't have one already) for the notification. |
| 2. | Create a threshold filter logging to the event log when 4 backup events have successfully been written. |
| 3. | Create a recurring event filter that will write an error event to the Application event log when our threshold filter event is not written. |
| 4. | Create a filter looking for error events from the recurring event filter in the application event log. You can skip this step if you already have a filter looking for error events. |
1. Creating a SMTP target (you can skip this step if you already have an SMTP target)
Right-Click the notifications container and select Add Target. Then, choose a name for the new target and configure all required SMTP options. In this example we will choose Important SMTP as the name for this target.
For more information see SMTP Targets.
2. Creating a threshold filter
Threshold filters are similar to ordinary filters, except that you can take actions based on the number of events that appear in a certain time frame. In this case, we want to determine whether a certain number (4) of successful backup events were written to the event log.
| • | Right-click any Filters container (local filters, global filters or group filters) and select Add Filter. |
| • | Configure the general filter options. For successful NTBackup events the filter should be configured as shown in the screenshot below: |
| • | Configure the threshold options. According to our scenario we are looking for a minimum of 4 events in 3 hours. Additionally we are not interested in the actual events (as such, both process events after/before checkbox remain cleared) but instead only need to know when the threshold has been fulfilled. The correct configuration is shown in the screenshot below: |
This threshold filter will log an information event to the Application event log (EventID 10601, source EventSentry) when the threshold is met at any time.
3. Creating a recurring event filter
Since our threshold filter will create an event when our 4 backup events are written to the event log, we can instruct our recurring event filter to look for this event.
| • | Right-click any Filters container (local filters, global filters or group filters) and select Add Filter. We recommend that you choose the same container as in step 2. |
| • | Configure the general filter options. For threshold events the filter should be configured as shown in the screenshot below: |
| • | Configure the recurring filter options. In our scenario, the backup events will be logged between 11pm and 3pm. Since the backup jobs takes at least 2 hours, we can configure our recurring event filter to look for our threshold event between 1am and 3am. The configuration for this scenario would look like the screenshot below. The hours start with Tuesday since the backup jobs starts at monday night. If your backup jobs take longer then you would need to extend the two hour time frames accordingly. |
4. Creating the "notification" filter
As already mentioned in step 3, the recurring event filter will write an error event to the application event log when our threshold filter event cannot be found.
In order to be notified by this error we will need to setup a filter that will forward either this error only or all errors (as recommended) to a SMTP target. You can skip this step if you already have a filter in place that forwards all error events by email to the same recipient(s).
| • | Right-click any Filters container (local filters, global filters or group filters) and select Add Filter. We recommend that you choose the same container as in step 2. |
| • | Configure the general filter options. For recurring events the filter should be configured as shown in the screenshot below: |
