Configuring alert rulesets

The Alert rulesets page displays all the alert rulesets that you can deploy to managed devices. There are four rulesets that appear by default, and you can create custom rulesets to apply specific types of monitoring to different kinds of devices.

The four alert rulesets that appear by default on the Alert rulesets page are:

In addition to these rulesets you can create custom rulesets to apply to targeted groups of managed devices. You can deploy rulesets by scheduling a deployment task, or you can include rulesets when you deploy agents to devices using agent configuration. While the default rulesets are available to be deployed with agents, you can choose not to deploy the rulesets when you define the agent configuration.


Process for configuring a ruleset

Rulesets contain a collection of associated alerts, actions, and time filters. As you configure a ruleset, you'll define multiple action tasks and time filters that can be reused. The general procedure for configuring a ruleset includes the following steps:

  1. Create a ruleset
  2. Add new alert rules to a ruleset
  3. Define alert actions to use in rules
  4. Define time filters to use in alert rules
  5. Edit alert rules in a ruleset
  6. Include rulesets within other rulesets
  7. Publish a ruleset

To create an alert ruleset

  1. Click Tools > Configuration > Alerting.
  2. Click the New alert ruleset button on the toolbar. Type a name in the Name field, type a description of the alert in the Description field, then click OK.
  3. To change the ruleset's name or description, select it in the Alert rulesets list and click the Edit an alert ruleset button on the toolbar.
  4. To make a copy of a ruleset that you can make minor changes to, right-click the ruleset in the list and select Copy. Type a new name and description and click OK.

To add new alert rules to a ruleset

  1. In the Alert rulesets list, select the ruleset and click Edit on the toolbar.

    The Rules summary page lists each alert in the ruleset with its associated actions and time. Each combination of an alert, action, and time is listed as a separate item on the rules summary.
  2. Click Alerts in the left column to add an alert rule to the ruleset.
  3. In the right column, click Rules > Add. Three "wells" are displayed at the bottom of the page to associate alerts, actions, and time rules. Locate an alert in the list and drag it to the Alerts well at the bottom of the page.

    Alerts are listed in two groups, Standard and Monitor. Click an item under one of those groups to view a group of associated alerts. If you click the All alerts folder, all alerts are listed alphabetically.

  4. To find a particular alert, type a search string in the Alerts filter text box at the top right of the page. All alerts containing the string you type are displayed in the list.
  5. Click Actions to associate an alert action with the alert you added. By default, every alert has a Log handler configuration action associated with it, which logs the alert at the core server. To add another action, drag it to the Actions well at the bottom of the page.

    The Standard folder contains predefined actions. To use another type of action, you need to define the action first (see To define alert actions to use in rules ).

  6. Click Time to specify how frequently the alert should be monitored. Drag a time rule (for example, Always) to the Time well at the bottom of the page.

    Three time rules are available by default. To use a different time rule, you need to define it first (see To define time filters to use in alert rules).

  7. When you have at least one alert with associated action and time tasks, click the OK button at the bottom of the page to add the alert rule to the ruleset. Click OK again.
  8. In the right column, click the Publish button.
  9. In the left column, click Rules summary to view the updated ruleset with the new alerts.

With a list of alerts in the ruleset, you can edit each item to change the associated action and time. You can also choose which severity levels to apply to the alert and you can specify whether that alert should contribute to the device health. For more information about editing a rule, see To edit an alert rule.

To define alert actions to use in rules

  1. In the left column of the Alert ruleset page, click Actions.
  2. Select an action group (for example, Send e-mail), then click Tasks > New in the right column.
  3. Add information in the fields as needed, then click Save.

The action is listed under the group you selected and is available to associate with alerts. Details about the fields in the different actions types are explained below.

Run on core/Run on client

This action starts an executable file on either the core server or the managed device.

When you select either action, note that programs may not display as expected on the desktop. When the program is run, it is started as a service in Windows and so is not displayed as a regular application would be. Programs that are run in this way should not contain a user interface that requires interaction. To definitively determine if the program executed, check the processes in the Windows Task Manager.

Send e-mail

This action sends an e-mail message using the SMTP server you specify.

The e-mail will be sent from the core server.

You can send e-mail messages to multiple recipients, and you can use the following variables in the Body field:

Send SNMP trap

This action sends an SNMP v1 trap when the alert is triggered.

Severity levels for alerts are reported in the Specific Trap Type field of the trap. Values are 1 = Unknown, 2 = Informational, 3 = OK, 4 = Warning, and 5 = Critical.

To define time filters to use in alert rules

  1. In the left column of the Alert ruleset page, click Time.
  2. Click Tasks > New in the right column.
  3. In the New filter dialog box, enter data in the fields (described below).
  4. Click Save.

The time filter appears in the list and is available to associate with alerts. Details about the fields in the New filter dialog box are explained below.

To edit an alert rule

You can edit individual alert rules in the Rules summary page. Changes you can make include selecting a different action or time filter, selecting which severity levels are in effect, and specifying whether the rule contributes to the device's health status.

  1. Click Rules summary to view the alert rules in the current ruleset.
  2. Click the alert rule you want to edit and click Rules > Edit in the right column.
  3. To change the associated action or time, select a new option from the respective list.
  4. To receive an alert notification only for particular severity levels, click the State icons. A dimmed icon indicates that alerts for that severity level will be ignored.
  5. To include the alert rule as an indicator of device health, select the Health check box.
  6. Click OK to save your changes.

Each alert rule can have only one associated action and one time filter. If you want to create additional rules for an alert, click Clone in the right column to create a duplicate of the rule, then edit the duplicate.

To include rulesets within other rulesets

One way to make ruleset creation more flexible is to create smaller rulesets that you then combine for different uses. To do this, you can include rulesets within other rulesets.

  1. At the bottom left of the Alert ruleset page, click Includes.
  2. In the left column, click Includes.
  3. In the right column, click Includes > New.
  4. In the Available rulesets dialog box, select one or more rulesets to include in the current ruleset, then click Save. Use Ctrl+click or Shift+click to select multiple rulesets.

    The rulesets are added to the Includes list.

  5. If you want to remove a ruleset from the Includes list, select it and click Includes > Delete in the right column.
  6. To see which other rulesets include the current ruleset, click Included by in the left column.

When you include rulesets, each individual ruleset is maintained as an individual XML file. The XML files are not combined, but they reference each other

To publish an alert ruleset

After you have added and edited rules in a ruleset you need to publish the ruleset. This creates an XML file with the ruleset data that is referenced by the alerting agent as it works.

  1. On the Rules summary page, click Publish in the right column.
  2. Click OK at the success message.

The XML files with published ruleset data are stored in the ldlogon share on the core server, in the alertrules folder.

When you publish a ruleset, the alerting service is notified to reload the updated rulesets. When you have updated a ruleset that you have already deployed to managed devices, each of those devices will automatically update their rulesets with the modified rules the next time the alerting agent runs on those devices.

If you don't publish a ruleset, there will be no signal to the alerting service to reload the ruleset, so there will be no automatic update of the ruleset on devices that already have the ruleset. We strongly recommend that you publish rulesets every time you make any changes to them.