LabTech Support Forums

DNS Server has Shutdown.

This forum is for discussion of monitor related issues.

Moderator: jware.connectwise

DNS Server has Shutdown.

Postby timothy.garner-it » Mon Jul 16, 2012 5:41 pm

The Monitor "EV - BlackListed Events - Informational Errors Only " is creating a tickets with a results of
--
AnotherCritical Blacklist Event that was found: Event ID - 3 DNS Server log - Microsoft-Windows-DNS-Server-Service: The DNS server has shut down.
--
We have clients that we reboot their servers regularly. Obviously during every reboot you get the Event ID 3.
This is normal behavior as long as you have the event ID 2 -- DNS server has started within a reasonable time.
--
I need to add to this monitor to ignore this blacklisted event if it comes paired with Event ID 2.
--
Does anyone have any input on the easiest way to do this.
--
My first thought was to add the event ID 2 to the blacklist as well so that i can just compare information in one table but that does not matter because I can use both tables:
h_eventlogs and eventblacklist
--
Something like:

AND (SELECT ComputerID FROM h_eventlogs
WHERE source='Microsoft-Windows-DNS-Server-Service' AND EventID=2
AND Last_Date>DATE_ADD(NOW(),INTERVAL -15 MINUTE))
--
Or am I thinking about this wrong.
Thank You,
Timothy Garner
User avatar
timothy.garner-it
Full Member
Full Member
 
Posts: 106
Joined: Wed Aug 24, 2011 12:05 pm

Re: DNS Server has Shutdown.

Postby timothy.garner-it » Fri Jul 20, 2012 5:10 pm

This is way closer to the correct query.
Can someone, with better SQL skills than me, clarify that this will do the trick.

AND eventlogs.eventid in (Select eventid FROM eventlogs WHERE source='Microsoft-Windows-DNS-Server-Service' AND EventID=2 AND timegen>DATE_ADD(NOW(),INTERVAL -15 MINUTE))
Thank You,
Timothy Garner
User avatar
timothy.garner-it
Full Member
Full Member
 
Posts: 106
Joined: Wed Aug 24, 2011 12:05 pm

Re: DNS Server has Shutdown.

Postby teamits » Fri Jul 20, 2012 5:44 pm

I don't have a direct answer for you but I suspect in your subselect ("(Select eventid FROM eventlogs...") you will need to join on the computer ID, so it doesn't just look for any recent eventlogs table entry for any computer. I'm not sure how to get that to happen though, sorry.
Steve
teamits
Hero Member
Hero Member
 
Posts: 1578
Joined: Wed Dec 31, 1969 8:00 pm

Re: DNS Server has Shutdown.

Postby gbelanger.exosource » Wed Jul 25, 2012 1:28 am

Shouldn't the reboot events get ignored if the Maintenance Window is properly configured?
gbelanger.exosource
Newbie
Newbie
 
Posts: 25
Joined: Mon Jun 25, 2012 12:39 am

Re: DNS Server has Shutdown.

Postby timothy.garner-it » Fri Aug 31, 2012 12:54 pm

The Reboot Events are logged in the windows logs.
The blacklisted monitors only look at the logs compared to the "Black list".
That may be a good functionality to add to the event log monitors to ignore those events during a Maintenance window, but It is not there that I have seen or know of.
---------------------------

I almost have this working (teamits you were correct):
--------
Adding this too the additional conditions field and playing with the “Interval -60 Minutes” works, but this only checks that the “success” event happened within the last hour (our whatever time you change it to).
---
AND (eventlogs.eventid = 3 AND eventlogs.computerID NOT IN (Select computerid FROM eventlogs WHERE source='Microsoft-Windows-DNS-Server-Service' AND eventid=2 AND timegen>DATE_ADD(NOW(),INTERVAL -60 MINUTE)))
-----

The only thing that needs to be added to this is to replace the (timegen>DATE_ADD(NOW(),INTERVAL -60 MINUTE))) with a SQL statement equal to this:
-
(Select timegen FROM eventlogs WHERE source='Microsoft-Windows-DNS-Server-Service' AND eventid=2)
Subtract (-) (Select timegen FROM eventlogs WHERE source='Microsoft-Windows-DNS-Server-Service' AND eventid=3)
====================================================================================================== (RESULT) < 30 Minutes
-----

I have not quite figured out how to do the math.
Thank You,
Timothy Garner
User avatar
timothy.garner-it
Full Member
Full Member
 
Posts: 106
Joined: Wed Aug 24, 2011 12:05 pm

Re: DNS Server has Shutdown.

Postby timothy.garner-it » Fri Sep 14, 2012 1:50 pm

OK this is it, I believe.
I just have a syntax error that I cannot find.

---
AND (eventlogs.eventid=3 AND source='Microsoft-Windows-DNS-Server-Service' AND eventlogs.computerid NOT IN (Select computerid FROM eventlogs WHERE source='Microsoft-Windows-DNS-Server-Service' AND eventlogs.eventid=2 AND eventlogs.timegen BETWEEN (SELECT timegen from eventlogs WHERE eventlogs.source='Microsoft-Windows-DNS-Server-Service' AND eventlogs.eventid=3 AND eventlogs.computerID IN (select computerid FROM eventlogs WHERE eventlogs.source='Microsoft-Windows-DNS-Server-Service' AND eventlogs.eventid=3) AND now()))
---
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')
LIMIT 0, 1000' at line 1
--
It has to do with "AND NOW()))"
Thank You,
Timothy Garner
User avatar
timothy.garner-it
Full Member
Full Member
 
Posts: 106
Joined: Wed Aug 24, 2011 12:05 pm

Re: DNS Server has Shutdown.

Postby kemtis.buschconsulting » Tue Jul 30, 2013 2:51 pm

You need one more ' ) '. But I am not sure where would be the correct position to add it. Perhaps at the very end?
kemtis.buschconsulting
Full Member
Full Member
 
Posts: 137
Joined: Mon Oct 31, 2011 9:36 am

Re: DNS Server has Shutdown.

Postby jjackson.summitcomp » Sun Oct 13, 2013 9:44 pm

Since we continue to get these tickets I have to assume there is no fix for this issue. Any updates?
Thanks,
Jeff
jjackson.summitcomp
Newbie
Newbie
 
Posts: 36
Joined: Wed Dec 12, 2012 2:45 pm

Re: DNS Server has Shutdown.

Postby nickd.formatech-it » Tue Jun 09, 2015 10:36 am

I would love to know if anyone got this worked out as well.
nickd.formatech-it
Newbie
Newbie
 
Posts: 1
Joined: Fri Jan 02, 2015 4:10 pm

Re: DNS Server has Shutdown.

Postby dreeve.parcliving » Thu Jul 09, 2015 5:32 pm

Hi All,

I have a simple solution I have implemented for excluding/customizing Event Log Alerts.

First Exclude event id 3 from the EV - BlackListed Events - Informational Errors Only monitor by adding the following to the end of the default Additional Condition:

AND eventlogs.Eventid <>'3'

Next Make a copy of the EV - BlackListed Events - Informational Errors Only monitor to customize, replace the default Additional Condition with:

eventlogs.timegen > DATE_SUB(CURRENT_DATE(), INTERVAL 1 DAY)
AND (eventlogs.eventid ='3') AND (SELECT COUNT(*) FROM eventlogs WHERE computers.ComputerID = eventlogs.computerid AND eventlogs.EventType=2 AND (eventlogs.EventID='2') AND eventlogs.timegen > DATE_SUB(CURRENT_DATE(), INTERVAL 1 DAY))<1

This will check the previous 24 hours for an event 2 to get logged.

Enable this monitor on the Windows Server Managed 8x5 and Managed 24x7 Groups and copy the same alerts as EV - BlackListed Events - Informational Errors Only monitor

There maybe a better way but this seems to work for me, I have used this to customize Event Monitor with success, hopefully this will help.

Dan
dreeve.parcliving
Newbie
Newbie
 
Posts: 1
Joined: Tue Sep 30, 2014 1:35 pm


Return to Monitors

Who is online

Users browsing this forum: No registered users and 1 guest

cron