Administration GuideAction Alerts › Example: Create an Alert for Business_Critical_Sources

Previous Topic: Configure Action Alert Retention

Next Topic: Edit an Action Alert

Example: Create an Alert for Business_Critical_Sources

You can create a custom query with the Business_Critical_Sources keyed list and schedule an alert based on this query. The keyed list is one that has no default values and no associated predefined query or alert. Use the following end-to-end process as a guide.

  1. Install an agent.
  2. Configure a connector on that agent to collect events from each business critical source.

    Connector status shows agent host name used as the value for a business critical resource.

  3. Define the hostname values for Business_Critical_Sources user-defined lists (keys).
    1. Click the Administration tab and Services subtab.
    2. Select Report Server from the Service List.
    3. Select Business_Critical_Sources in the User Defined Lists (Keys) area.
    4. Click Add Value in the Values area and enter the hostname of a business critical source.

    Enter the agent host name as the value.

    1. Repeat the last step for each business critical source from which events are collected.
    2. Click Save.
  4. Create a query on failed login attempts on business critical sources.
    1. Click Queries and Reports.
    2. Under Query List, enter login in the Search field.
    3. Select Unsuccessful Login Attempt by Host and select Copy from the Options drop-down list.

      The Query Design wizard opens with the name Copy of Unsuccessful Login Attempts by Host.

      Rename to query to Unsuccessful Login Attempts by Business_Critical_Sources.

    4. Select the Query Filters step.
    5. Click the Advanced Filters tab.
    6. Click New Event Filter.

    The New Event Filter button is designated with a plus sign, for Add.

    1. Select source_hostname for the column, select Keyed for the operator, and select Business_Critical_Sources as the value.

    When you select Keyed as the operator, the value list is populated with configured keyed values for the column you entered.

    1. Click Save and Close.
  5. Schedule an alert based on this custom query.
    1. Click the Queries and Reports tab.
    2. Select Unsuccessful Login Attempts by Business_Critical_Sources under the User folder of the Query List.
    3. Select Schedule Action Alert from the Edit drop-down list.

      The dropdown list is in the right pane.

      The Schedule Action Alerts wizard appears.

    4. Enter a job name, such as Unsuccessful Login Attempts by Business Critical Resources
    5. Click Schedule Jobs and define the schedule.
    6. Optionally, specify email options for Destination.
    7. Click Save and Close.
  6. Verify the job is scheduled.
    1. Click the Alert Management tab and the Alert Scheduling subtab.
    2. Verify the job name you entered is listed.

    The scheduled job name is listed.

  7. Check for the generation of the alert.
    1. Click the Alert Management tab. The Action Alerts subtab is displayed.
    2. View the listed alerts to determine whether the job name you listed appears.

More information:

Install an Agent

Create a Connector Based on NTEventLog