Science Logic Notes from meeting on 6 7 2022 and additional documentation for events.
ScienceLogic Meeting Questions and Notes June 7, 2022
Questions:
How do we access more information about a particular alert? We are looking to review logs for alerts to better identify the cause of the alert.
How do we add our VA Distro list to the email alert list? Open WFM ticket as SL1 engineers to ask to update the distro list.
Can we add our Corporate Distro to the email alerts list for faster service? Cannot do this
How are “Latency thresholds” determined and can we alter that threshold if necessary?
How are the 500 alerts generated?
How are the 500 thresholds for alerts determined?
Meeting Notes:
Need to make a request with WFM to have an admin account for device capabilities to schedule maintenance.
We can change the distribution list: WFM ticket - assign to S01 Engineers. Has to be VA Email addresses: [email protected]
To schedule Device Maintenance:
Go to SLI1 Dashboard - view events
Go to registry to view a list of
Put a . in the IP search criteria to view only SNMP data collection devices.
set maintenance mode - to prevent science logic alerts while servers are down.
Click on calendar icon in last column for the device requiring maintenance. (Need admin access to see calendar icon)
Create button Provide Name the Schedule and Description Select start and end time
Collection polling - collecting data, but not turning them into alerts (enabled = still collecting data)
There are processes being put in place for threshold changes through WFM. -Dunamick applications of this nature for the powerpack or global.
==================================================
Events are messages that are triggered when a specific condition is met. For example, an event can signal if a server has gone down, if a device is exceeding CPU or disk-space thresholds, or if communication with a device has failed. Alternately, an event can simply display the status of a managed element.
SL1 generates log messages from incoming trap and syslog data, and also when SL1 executes user-defined policies. SL1 then uses these log messages to generate events. SL1 examines each log message and compares it to each event definition. If a log message matches an event's definition, SL1 generates an event instance and displays the event on the Events page.
Each event includes a description of the problem, where the problem occurred (device, network hardware, software, policy violation), a pre-defined severity, the time of first occurrence, the time of most recent occurrence, and the age of the event.
SL1 includes pre-defined events for the most commonly encountered conditions in the most common environments. You can also create custom events for your specific environment or edit the pre-defined events to better fit your specific environment.
When events occur, there are multiple ways you can respond to them:
Acknowledge. Lets other users know that you are aware of an event and are working on a response. Add a Note. Adds additional text to an event. Notes can be displayed in the Events page and can be included in automation actions. Clear. Removes an instance of an event from the Events page. The cleared instance is no longer displayed. Suppress. Specifies that if the event occurs again on the same device, the event will not be displayed in the Events page. Disable. Specifies that if the event occurs on any device or is triggered by any application or policy, the event will not appear in the Event Console.
Acknowledging and Clearing Events
When you acknowledge an event, you let other users know that you are aware of that event, and you are working on a response.
When you clear an event, you let other users know that this event has been addressed. Clearing an event removes a single instance of the event from the Events page. If the event occurs again on the same device, it will reappear in the Events page.
If the same event occurs again on the same device, it will appear in the Events tab, even if you have previously cleared that event.
When you acknowledge a parent event, all masked events under that parent event are also acknowledged.
To acknowledge an event, find the event on the Events page and click the Acknowledge button for that event. Your user name replaces the Acknowledge button for that event: Image of the Acknowledge button after you acknowledge an event
You can also click the Acknowledge button in a specific event's Investigator page.
To see when an event was acknowledged and who acknowledged it, hover your mouse over an acknowledged field. If an event was acknowledged by another user and you have the relevant permissions, you can click the Reacknowledge button to acknowledge that event. To clear an event, click the Clear button. The event is removed from the Events page. If you want to hide the Acknowledge or Clear buttons on the Events page, click the Select Columns icon (Image of the Choose Columns icon) and deselect those columns.
Clearing Events
When you clear an event, you remove only a single instance of the event from the current display in the Event Console page. If the event occurs again on the same entity, it will reappear in the Event Console page.
NOTE: To clear an event, accounts of type "user" must be granted one or more access keys that include the following access hooks: Events/Event:View and Event: Clear. Accounts of type "user" will then be able to view and clear events in the same organization(s) as the user. For more information on access hooks, see the section on Access Permissions.
To clear an event:
Go to the Events tab. In the Event Console page, select the checkbox for each event you want to clear. To select all events in an organization, click the checkmark icon above each organization's group of events. Clear the event(s) by doing one of the following: Click the Del button. In the Select Action drop-down list, select Clear, then click the Go button. When you successfully clear an event, it will no longer appear in the Event Console page. NOTE: The Event Clearing Mode option in the Behavior Settings page (System > Settings > Behavior) affects how rolled up events and suppressed events can be cleared. For details, see the section on System Settings that Affect Events.
Suppressing an Event on a Single Device When you suppress an event in the classic SL1 user interface, you are specifying that in the future, if this event occurs again on the same device, the event will not appear in the Event Console page or the Viewing Events page for a device.
If a suppressed event occurs on a different device, it will appear in the Event Console page and on the Viewing Events page for that different device.
When you suppress an event, the current instance of the event still appears in the Event Console. To remove the current instance from the event console, clear the event (see the section Clearing One or More Events).
NOTE: To suppress an event, accounts of type "user" must be granted one or more access keys that include the following access hooks: Events/Event:View and Event:Clear. Accounts of type "user" will then be able to view and suppress events that belong to the same organization(s) as the user. For more information on access hooks, see the section on Access Permissions.