Alerts

Domain Time II Audit Server can raise various alerts based on information collected during collection runs and from real-time data provided by Server and Client.

Configure Alerts
In order for Audit Server to provide alerts, you need to configure the alert thresholds and the type of alerts desired. Select Audit Server -> Alerts -> Configure from the Manager menu.

A machine’s time is off by or more milliseconds
and A machine’s clock has not been set for or more minutes
are used both to determine the threshold for raising an alert at the time of an audit collection run, and also for issuing Real-Time Alerts (see below).

An audited machine fails to respond for or more audits
is used only for raising an alert during an audit collection run.

Domain Time Server and Client version 5.1 or later can send Real-Time Alert data to Audit Server each time they synchronize their time. This data can be evaluated and used to raise an alert based on the thresholds you specified in the Post-Audit Alerts section above.

Each Server and Client must be configured to send Real-Time Alert Data to the Audit Server before alerts can be generated. This can be done by:

• Configuring the Audit Server Real-Time Alerts section of the Status Reports property page on the Server or Client Control Panel applet.
• Using Active Directory policies
• Selecting machines on the Details Pane of Manager's Real-Time Alerts category and right-clicking to choose Enable Real-Time Alerts from the context menu.

Real-Time Alerts appear in the Real-Time Alerts category of Domain Time Manager. Alerts persist until they are dismissed from Manager (by right-clicking the machine's name in the Real-Time Alerts display and choosing Reset Alert item from the context-menu. Real-Time Alerts will also be sent using email if configured. Machines still in alert status at the time of an audit run will also be summarized in Audit summary emails.

Click the Advanced button to set additional parameters for Real-Time Alerts on the Advanced Real-Time Alert Configuration dialog page:

Coalesce  Raise alert immediately Group alerts and send no more often than once every minutes

These selections allow you to group your alerts together to prevent being overwhelmed by immediate alerts, or to receive them as they occur.

Record Backlog  If Audit Server is busy or the service is stopped, an alert backlog can develop. In general, old real-time alerts aren't real-time any more, so Audit Server will ignore all but the most recent ones. Max backlog: records (range 1-10,000)

The Max backlog: setting controls how many older queued alerts should be displayed when a backlog occurs. You shouldn't have to adjust this value unless your server is extremely busy and real-time alerts are regularly being dropped in normal use. If you set this value too large, you may have stale data appearing when a machine is rebooted.

 

Alert Sharing and the Alert Viewer

Alert Sharing  Audit Server can coordinate received alerts with other machines using IPv4 multicast. This allows centralized monitoring of multiple Audit Servers. Disable this option if you are not using centralized monitoring. Alert sharing enabled    Port (default port is 9910)

If this option is enabled, Real-Time Alerts collected and raised by one Audit Server will be reflected on other Audit Servers that are in the same multicast group listening on the selected port (the default is port 9910). This allows you to see all Real-Time Alerts from all Audit Servers using Domain Time Manager. If you are not using multiple Audit Servers (or the Alert Viewer, see below), you may disable this option.

Domain Time II Alert Viewer applet (DTALERT.EXE)

Audit Server includes an Alert Viewer applet that can display the alert status from any/all Audit Servers on your network on any Windows desktop (XP and above) you'd like. It also gives you a handy customizeable desktop clock display. This allows you to have a visual indicator of the status your entire time network on your desktop, or any other system where that information would be useful.

The Alert Viewer applet program is named DTALERT.EXE. The program comes in both 32 and 64-bit versions. If your Domain Time II Manager is 64-bit, the 64-bit version will be located in the C:\Program Files\Domain time II\ folder, and the 32-bit version will be in the C:\Program Files\Domain time II\i386\ folder. Conversely, if your Domain Time II Manager is 32-bit, the 32-bit version will be in the C:\Program Files\Domain time II\ folder, and the 64-bit version will be in the C:\Program Files\Domain time II\AMD64\ folder.

You may copy the DTALERT.EXE file to any machine you'd like (be sure to copy the correct 32 or 64-bit version to match the type of machine), and then run it to configure the clock display and current alert status of your Audit Server(s). You may run as many copies of DTALERT.EXE on various machines as you need.

The program will display the current date and time on your desktop along with a colored flag representing the current alert level. The Alert Viewer shows the current overall alert status present on your monitored Audit Servers. The flag next to the clock will change color to reflect the worst reported status of any monitored system (green, yellow, or red). A white flag indicates the software cannot contact any Audit Servers.

Double-click any part of the clock display to show the alert status of the individual machines providing Real-Time alerts to the monitored Audit Server(s).

Note: The software only reports alert status. To reset or configure alerts, you must use the Manager on the the Audit Server machine(s) actually collecting the Real-Time alerts.

To configure the program options, run DTALERT.EXE and right-click on any part of the clock to display the context menu.

• Clock - These context menu items let you control the appearance and function of the desktop clock display. You can set attributes such as font, color, background, opacity, etc.

• Status - These settings control the display of alert data from your selected Audit Server(s).
  
  • Visible - sets whether the Real-Time Alert Viewer status windows is open and visible. This window displays the status of all machines reporting real-time alerts to your selected Audit Server(s). You can toggle whether this window is open by double-clicking on any part of the clock display.

  • Servers - This is where you tell the viewer which Audit Server(s) you want it to monitor for alerts. Enter the DNS Name or IP address of each Audit Server. Note that Alert Sharing over port 9910 TCP must also be enabled on each listed Audit Server (see above).

  • Date/Time Format - This lets you set the format for all dates and times displayed on the status viewer.

• Start at Logon - When this item is checked, the Alert Viewer will automatically load whenever you log in.




Alert Actions  Audit Server can raise an alert in several different ways. Choose the kinds of alerts you want to receive. Record details in the Event Viewer log Send an email alert notice Send an SNNP trap Community: Server:

Choose your desired alert method in this section. You can also enable/disable these items directly on the Audit Server -> Alerts menu.

The SNMP alerts and Email items require additional configuration.

SNMP Configuration
Enter the SNMP community name and password used by your Network Management System (NMS), as well as its DNS name or IP address. Your community name and password must match the one in use by the receiving system.

Best Practices for SNMP include using a unique community name and hard-to-guess password on production systems. The default community public should only be used for initial testing. Although Domain Time only sends outgoing trap information and is therefore not susceptible to SNMP remote control vulnerabilities, you should still be mindful of SNMP security for the benefit of your other SNMP devices.

The Domain Time MIB File

Domain Time comes with a MIB file that you can use to compile on your SNMP monitoring system so that your traps are interpreted correctly. The MIB text file is generated when you click the button on the Server or Client Control Panel applet so you don't need to worry about locating it in some obscure installation folder or having online access.




Email Configuration
Click the button to configure your Email Settings.

You must configure these email settings before Audit Server can send notification emails.

Email Setup From and Format Selection   [Click for larger size]


Specify the From: email address that will appear on the notification emails. You can also specify the format and MIME part order of the emails:
• Plain Text
• Text part followed by HTML part
• HTML part followed by Text part

  Choose the format that provides the best compatibility with your email system.

 


Email Recipients List   [Click for larger size]


Use the To, CC, and BCC tabs to add the email addresses of your desired recipients.

 


Outgoing SMTP Server Settings   [Click for larger size]


Enter the server address and account login information required for Audit Server to send outgoing mail through your SMTP server.
Once you have entered all of the above information, click the Send Test Email button to generate a test email.

If your test email encounters any errors, you'll receive a pop-up window showing the entire SMTP conversation so you can easily troubleshoot the problem:

Send Test Email, Showing SMTP Error   [Click for larger size]




 


Email Queue Settings and Email Logs   [Click for larger size]


This page contains the settings for the email queue and email logs.
The Queue Folder: specifies the location of the folder where outgoing emails are queued. The email.log trace file is also kept in this folder.

Note: In most cases, you will not need to adjust this location. If you do decide to change the folder location, you must pick a location on a local disk (not a networked share) with sufficient permissions (Change) granted to the Audit Server service account so that it is able to manage the queues.

Use the SMTP Trace:  Disabled Errors Warnings Info Trace Debug drop-down list to select the level of detail you want to keep in the email.log trace file. In general, you should only enable the trace file if you are troubleshooting an email delivery issue. Otherwise, your email.log file may grow to an unmanageable size over time.

Use the Open or Browse buttons to open the queue folder and locate the email.log file, which is a plain text file you can open in any editor, such as Notepad.


IP Restrictions
Click the button to restrict which systems are allowed to contact Audit Server.

IP Restrictions dialog   [Click for larger size]

The IP Restrictions dialog applies to both machines sending Real-Time Alerts and also which machines are available to be Auto-added to the Audit List.

You can both permit and deny access from IP ranges. To restrict a single IP address, enter the same IP address for both the First and Last range items.

 

 Proceed to the Data Collection page
 Back to the Configure Audits page