Detect and suppress message storms

As a system administrator, you can take the necessary precautions to detect and, optionally, suppress message storms by configuring the message storm detection mechanism and defining appropriate automatic and operator initiated actions. The message storm detection mechanism is based on the following two message properties:

• Detection based on TimeCreated

  Agents create a high number of messages within a short time interval. The message storm detection is based on the TimeCreated property of the message, which is set on the managed node when the agent creates the message.

  If there are many messages from a certain node where the TimeCreated values are close by, this indicates a message storm. This is the classical case for a message storm. In most cases, the root cause might be wrongly defined policies.

• Detection based on TimeReceived

  Agents send a high number of messages within a short time due to a large backlog of buffered messages on managed nodes. The detection is based on the TimeReceived property of the message, which is set on the management server when the message arrives.

  If there are many messages from a certain node where the TimeReceived values are close by, but the TimeCreated values show normal deltas, then this indicates a message storm. However, this is a less common cause for a message storm.

As administrator, you can configure what to interpret as a message storm for both message properties by setting configuration values in the Server Configuration dialog box in the following namepaces:

• Message Storm Detection Based on Time Created
• Message Storm Detection Based on Time Received

You can enable the detection for both properties in parallel or for only one. As soon as a message storm is detected, a high priority notification message is sent to the console and the automatic action assigned to the message is launched.

Related Topics:

• Message storm detection and suppression
• Configure the message storm detection mechanism