Event Log Monitoring usually concerns itself with forwarding critical events that indicate some sort of problem (security, operational, ...), yet sometimes it's equally important to detect if a crucial event did not occur, for example when a backup did not simply fail but not run, take too long, get stuck etc. EventSentry can detect these types of issues proactively.
Any process that runs on a schedule and generates some sort of confirmation (e.g. an event) when it is complete can be verified with EventSentry's recurring filter feature.
Receiving an alert when a scheduled activity like a backup fails is a three-step process:
1. Identify event & create filter
EventSentry needs at least one event that is logged when the scheduled activity is complete. This is ideally an event log by the software that is to be monitored (e.g. backup complete), but can also be an event logged by EventSentry in response to a change in the system (a file being created/deleted, a process exiting etc.).
Once the event has been identified, create a filter (and optionally a new package) that matches the event and proceed to step 2.
2. Configure recurring event option
In the filter dialog, click the "Hour / Day" tab and change the schedule type to "Recurring Event". In the calendar area in the center, click the + icon to add a schedule to the list.
In most cases you will pick the week day(s) during which the process runs (e.g. Monday - Friday) along with the anticipated time the event is logged by clearing the "All Day" check box. For example, if you are monitoring a backup that runs on weekdays and usually completes between 2am and 4am in the morning, you would select Tuesday through Saturday (since the first event occurs after midnight).
3. Forward recurring alert to action
If EventSentry detects that the event specified in step (1) did not occur during the specified window then it will log error event 10620 to the event log at the end of the specified time interval (4am in this example). The event will indicate which filter did not match an event, such as:
No event matching filter Backup has occurred in the event log in the configured time period. According to the schedule, at least one event matching filter Backup should have been logged during the last 120 minutes.
In many cases this type of alert may already be forwarded to an action through an existing default filter in EventSentry since the 10620 event is logged as an error. If you do not already have a filter in place to match this event, simply create a new event log filter that looks for the following properties:
Event Log: Application
Event Source: EventSentry
Event ID: 10620