Can the trial version have a package to monitor a specific service differently to the general Services package?

+1 vote
asked May 28 in EventSentry by marcusrjones (240 points)

(version 4.0.3.6)

I have tried to setup a package to monitor a specific service differently to the general services package. (I want the general package to run as well).

I deliberately want to be alerted by email about service start and stop for this service - so set the Log As -> Error .

I then assigned this package globally (or specifically to one computer).

If I enable it I start to get Error level EventSentry eventLog entries for all services that start and stop - not just this specific one I want. But I have specified "only monitor listed" . If I disable just this package then I stop getting the email about other services start/stop.

So can I have 2 packages that monitor services differently assign to the same computer? Have I specified it incorrectly? 

 

1 Answer

+1 vote
answered May 28 by Sally (2,000 points)
selected May 30 by marcusrjones
 
Best answer
Unfortunately if the service monitoring packages conflict overall with their monitoring types (such as one package is "Monitor all except listed" and the other is "Only monitor listed") they won't behave correctly.  If you have the same monitoring type in both packages then it should be obeying your settings.

Unless you're doing something quite drastically different, such as not monitoring any service status changes whatsoever in the default service monitoring package, you can just make a change to your Service Monitoring filter(s) under your Event Log package(s) so that you'll only get an email alert when this specific service starts and stops.  Select the filter that's currently notifying you of all the services that start and stop, and click + to the right of the Content Filter section on the filter's General tab, and add this text as a "wildcard" type:

*RFswitcher*

That content filter would ensure you only receive email alerts about the RFswitcher service.  Please note, it's likely that you have the wrong Service Key Name in your service monitoring package.  Service Key Names almost never contain a space, while Service Display Names almost always contain a space.  To double-check the Service Key Name, bring up the service manager in Windows by doing Start > Run > Services.msc, and then double-click your RFswitcher service.  The "Service Name" field at the top is what you would want to paste as the Service Key Name or as the Content Filter wildcard value in EventSentry.
commented May 28 by marcusrjones (240 points)
Hi,  I have the default services package and alerts configured at the moment.
I can see an entry in Packages - > Event Logs -> EventSentry Errors that I assume is generating the standard email alerts for services. I also see another one for EventSentry warnings that seems to also be enabled.
I also see Packages -> Event Logs -> EventSentry Alerts -> Service Monitoring contains various exclusions.
I'm not sure how these 2 sets of filters interact and how to implement your suggestion to filter by the Service name, Could you provide some more details of the steps to try this?
Thanks.
commented May 29 by Sally (2,000 points)
It could be any of those filters, you'd have to look at the subject line of your alert.  It'll say something like "EventSentry:Service Monitoring:10100 by Email Critical Events".  Whatever comes after the word "by" is the name of the filter, so in this example you'd want to find the "Email Critical Events" filter and see if it looks like it's related to services starting and stopping.  Rather than dig around in every Event Log package looking for a particular filter, you can use the toolbar to click Packages > Event Logs > Find Filter, and paste the filter name into the "Filter Name" field and then hit enter to find that exact filter and view its settings.

If the matching filter is about services, you can go ahead and add that wildcard entry to change the filter to only notify you about the RFswitcher service.  If it's a generic filter (Email Critical Events is generic) instead you'd want to find the event and create a custom include filter.  There is a tutorial about finding an event, either on the EventSentry server or on another machine, and using it to create a custom filter: https://www.eventsentry.com/support/tutorial/topic/include-exclude-filters/step/1
commented May 30 by marcusrjones (240 points)
That works just as I want now. Found the event in the  log and added an include filter into the EventSentry Alerts -> Service Monitoring adding the wildcard search as you suggested and set to trigger a default email alert.
Welcome to EventSentry Q&A, where you can ask questions and receive answers from other members of the community.
...