Hi All, hope y'all doin' great!
I am having few questions on Record Severity rule and event/log monitoring agent.
When I was working with support, I understood the below and felt really disappointed with the way the things defined.
1. Event Log Monitoring is possible with the below two agents
a. DellWindowsEventLogMonitorAgent - Gives the extra factor in the form of 'Log Monitor' dashboard
b. IC Agent/Windows Agent - Inbuilt feature to monitor Event Logs but no dedicated dashboard
2. Log Monitoring - DellFileLogMonitorAgent
For the alarms to trigger for both event and log monitoring, we should enable Record Severity rule. (Here, I disabled the IC agent event logs feature)
But this is where problem arises, only one severity instance of alarm is generating per folder/event type.
For example: Event Log Monitoring - Included 2 or 3 event ids from Application logs and tried generating alarms but to my surprise only one alarm generated. I did not receive any alarms for the rest of event ids that I included. Information I received from the support is unless I clear the existing alarm no new alarm will get generated. But having only one alarm for the entire list of event ids does not seem to be a justified thing.
For File Log monitoring, I defined severities for each keyword in a log file expecting I would receive three different alarms for each keyword. Surprisingly even here only one severity instance alert generated even though the log monitor dashboard recorded other keywords.
To summarize only one alarm is getting generated per severity per event type/folder for either EventLog or FileLog respectively.
I want to understand whether this is the behavior and the agents are designed to function such or am I misinterpreted things.
Please do not mind for big explanation as I intend to explain things bit by bit.
Thank You