SevOne Performance Log Appliance: First Occurrence Alerting


SevOne Product Manager, Tom Grabowski explains how SevOne can help you can automatically look for unique log data and messages in real time.


Hi. This is Tom Grabowski, SevOne product manager. Today, I'm going to show you how we look at first value occurrence in log data. It's an important feature that we have on the performance log appliance at SevOne. It allows us to view, look for unique events, message type error codes, types of alerts that are happening across our log data. To really get started, looking, first we need to set up the alert in our alert configuration. I'm going to look at the first occurrences. You can create a new rule set or configure an existing rule set.

I'll add a rule, and click on the next find the first value occurrence option, and then find the tag or value that you want to look for first values on. You know, whether I want to look at host names, data sources, message types. I'm going to do host names for now. I think I'm set that one up. The upper tolerance, lower tolerance, this is for, you know, how many items you want to see before you configured it as a first value occurrence.

If I put zero for upper tolerance, it means that any new value, any new unique value, in this case, any new host name will alert, will send off new alert that there's value. I can go in, set up my information. Send me an email when I get the alert. New host name, and now, I've added my alert and it's there. We have several others that we're looking for first values on. I'll show you what message type, how that appears when we get a new message type. Message type is a tag we use a lot for Cisco routers or ASA Firewalls; that type of thing when they have message codes.

If I look at my alerts here, I can look at my filter on my first value occurrences from my message types. You know. Take a look, I've got a new message type here that I saw a couple days ago. It shows me that it was a q-full. There's a couple others here, DNS Server. I got four messages at that time. You can just click on those items. It shows us right away those specific events, you know, that occurred. Here, DNS query was too short. We got four messages on that coming from this IP address. Might be something to look at a little bit more about, you know, what happened with those DNS queries.

Great thing about first value occurrence is, you know, what we've done is we basedlined the log data and we're able to show you, kind of, those unique alerts that you don't get very often or you don't get and, be able to find those events even though we're collecting millions of events a day. Really hard to do when, you know, to know the unknown or to search for the unknown. I could've searched for DNS errors only if I've known that I've been getting those types of errors. This is a great thing with base-lining and monitoring your log data. Again, this is Tom Grabowski, SevOne project manager, showing you the value of first value alerting. Thank you.