Stateful versus Stateless events

There are two different event types:

  1. Stateful events have a clear beginning and ending. A “Device Down” event ends with a “Device up” event, a “Threshold event cleared” event was preceded by a “Threshold Exceeded” event! Static events remain in the list as long as they are “active” or “pending”. They disappear once the event is no longer applicable.
  2. Stateless events are one-off events. They have a clear beginning but no ending. Examples of stateless events are Trap- and Syslog messages. These message types are removed from the list when they are older than 30 minutes.

Acknowledging events

Users with at least Operator rights can acknowledge stateful events. By acknowledging an event, the user confirms he/she is aware that the event has taken place and that he/she takes responsibility for the follow-up. Stateful events can be “Acked” on the Pending events page. These actions are logged!

Adding filters / Blocking events

In addition to the ability to acknowledge events, you can also add filter rules to block events. This can be useful if many (unimportant) events are received from (lowly-ranked) devices. Filter rules can be added from the Pending events page as well as the Events history page by clicking on the colored filter icons.

Filter rules can be defined for:

  1. Threshold violated events
  2. Anomaly detected events
  3. Trap received events
  4. Syslog message received events

Filters can be added system-wide or per device. System-wide defined filters are shown on the Event filters page, device filters are shown on a device’s dashboard page (Right-click on a device icon on the map and select Dashboard from the popup-menu – you need at least Operator rights).

Filters can be defined based on:

  1. The event type (Trap, Syslog, Anomaly etc)
  2. The message content (textual comparison)
  3. The event source (device id)
  4. A combination of above

A note about message content comparisons

For filtering on message content, the distance algorithm Damerau-Levenshtein is used. Messages often contain all sorts of variables and / or time stamps, so that an exact match between two messages is usually not possible.

Before a newly received message text is passed to the algorithm, all numerical data is first removed from the text. After this, the algorithm gives a reasonable assurance that two messages have the same kind of content.

Icon Type Stateful Remarks
Threshold violated event Yes Disk space usage exceeded, CPU usage too high, etc.
Threshold violated event cleared Yes
  No response event Yes  No response on status request
  No response event cleared Yes
  Anomaly detected event Yes Network interface errors detected, primary protocol for status monitoring failed – using secondary etc
  Anomaly detected event cleared Yes
  Trap message received event No
  Syslog message received event No
  Scan event No New device detected
  User action event No User logged on/off
  Program executed event No Email alert sent, script executed etc.
  Application event No Quantellium Startup/Shutdown, repository sync, New SNMP data collector added etc.
  Warning event No System restart detected

Filter examples

Screenshot below!

  • Block all Syslog messages from device Platinum (Yellow device icon: event type / device).
  • Block this “Permission denied” Syslog message from device Platinum (White device icon: event type / message content / device).
  • Block this “Permission denied” Syslog message from all devices (Green device icon: event type / message content).

Syslog severity level

In addition to the already mentioned filter options, Syslog messages have another filter option. This is the severity level. The Syslog severity level is a global setting and can be set on the Event filters page. The default applied Syslog severity level is “Critical”. This means that Syslog messages are accepted only if their severity level is “Critical” or higher!

System-wide defined event filters

Device specific event filters are shown on a device’s dashboard page. System-wide applied filters have their own page and are shown on the Event filters page