Top of Page

Domain Time II Audit Server
Version 5.2

Alerts


Domain Time II Audit Server can raise various alerts based on information collected during collection runs and from real-time data provided by Server and Client.

Configure Alerts
In order for Audit Server to provide alerts, you need to configure the alert thresholds and the type of alerts desired. Select Audit Server -> Alerts -> Configure from the Manager menu.

 Post-Audit Alerts 

Audit Server can alert you when the variances on your network exceed the tolerances you specify. Select the conditions to trigger an alert after an audit completes:

   A machine’s time is off by or more secs   ms   µs
        Double-check anomalous test results by sending a follow-up unicast
   A machine’s clock has not been set for or more minutes
   An audited machine fails to respond for or more audits

    Post-Audit Alerts are raised after a scheduled or manually-triggered Audit Run. These thresholds are used to determine which machines raise alerts.

    A machine’s time is off by secs   ms   µs
    Any audited machine with a time delta exceeding this value (as compared to the Reference Time) will raise an alert.

      Double-check anomalous test results by sending a follow-up unicast
      For speed and efficiency, Audit Server first requests audit results by broadcast/multicast. Check this box if not all your machines respond reliably to initial scans (you can see this in the Audit Server log). Although enabling this function is more robust, it may significally slow down audits if you have a large number of non-responding machines, since timeouts are invoked for each audited machine that does not respond.

    A machine’s clock has not been set for or more minutes
    Any audited machine that has not set its time more recently than this value will raise an alert.

    An audited machine fails to respond for or more audits
    An alert is raised if an audited machine hasn't responded for this number of audits.


Real-Time Alerts

 Real-Time Alerts 

Audit Server can raise an alert between audits if a machine reports either that it cannot
set the clock, or that it corrected an excessive delta.

Raise alert upon receipt of a real-time alert from an audited computer if it cannot
        set its clock, or if a correction exceeds or more secs   ms   µs

Do not count the first correction after startup as excessive, regardless of magnitude

Do not raise alerts for unaudited machines

If a Domain Time machine reports that it has lost sync with its PTP master:
     Ignore it
     Treat it as a warning (auto-resets when master regained)
     Treat it like any other error (requires acknowledgement)             
Keep Real-Time Alert history logs   Max log size KB

    v5.x Domain Time Servers and Clients can send Real-Time Alert data to Audit Server during each time check/statistics roll-up event scheduled on the Timings page). This data can be evaluated and used to raise an alert based on the threshold value you specify in this section.

    As of version 5.2.b.20131101, you may instruct Audit Server to not raise an alert based on the first Real-Time response after a component restarts. This prevents spurious alerts during service startup, since the first correction of the clock is often very large.

    Configure Server and Clients for Real-Time Alerts
    Each Server and Client must be configured to send Real-Time Alert Data to the Audit Server before alerts can be generated. This can be done by:

    • Configuring the Audit Server Real-Time Alerts section of the Status Reports property page on the Server or Client Control Panel applet.
    • Using Active Directory policies
    • Selecting machines on the Details Pane of Manager's Real-Time Alerts category and right-clicking to choose Enable Real-Time Alerts from the context menu.

    Real-Time Alerts appear in the Real-Time Alerts category of Domain Time Manager. Alerts persist until they are dismissed from Manager (by right-clicking the machine's name in the Real-Time Alerts display and choosing Reset Alert item from the context-menu. Real-Time Alerts will also be sent using email if configured. Machines still in alert status at the time of an audit run will also be summarized in Audit summary emails.

    You may also set Manager to play sounds when Real-Time Alert status changes. See the Options -> Appearance and Interface -> Interface Options menu item.
     
    Advanced Configuration
    Click the button to set additional parameters for Real-Time Alerts on the Advanced Real-Time Alert Configuration dialog page:

       Coalesce 

      Raise alert immediately
      Group alerts and send no more often than once every minutes

      These selections allow you to group your alerts together to prevent being overwhelmed by immediate alerts, or to receive them individually as they occur.

       Record Backlog 

      If Audit Server is busy or the service is stopped, an alert backlog can develop. In general, old real-time alerts aren't real-time any more, so Audit Server will ignore all but the most recent ones.

      Max backlog: records (range 1-10,000)

      The Max backlog: setting controls how many older queued alerts should be displayed when a backlog occurs. You shouldn't have to adjust this value unless your server is extremely busy and real-time alerts are regularly being dropped in normal use. If you set this value too large, you may have stale data appearing when a machine is rebooted.

      Alert Sharing and the Alert Viewer

       Alert Sharing 

      Audit Server can forward received alerts or status changes to the DTAlert program for real-time desktop display of individual and overall status on multiple machines.

      Alert sharing enabled     Auto-Manage Windows Firewall
         TCP Port (default port is 9910)

      If this option is enabled, you may monitor the status of your Real-Time alerts using the Domain Time II Alert Viewer (see below). This port is also used if you are using the Audit Server Standby Mode. If you are not using the Alert Viewer or Standby Mode, you may disable this option.

        Force Auto-Manage Windows Firewall
        As of Version 5.2.b.20150828, Domain Time supports automatic management of the Windows Firewall to allow access to the required time protocol and control ports. See Auto-Manage Windows Firewall Settings for a detailed explanation.

        Domain Time II Alert Viewer applet (DTALERT.EXE)

        Audit Server includes a handy Alert Viewer applet that can display the alert status from any/all Audit Servers on your network on any Windows desktop (XP and above) you'd like. It also gives you a handy customizeable desktop clock display. This allows you to have a visual indicator of the status your entire time network on your desktop, or any other system where that information would be useful. It also makes an excellent desktop clock.

          Domain Time Alert Viewer
          Domain Time Alert Viewer   [Click for larger size]

          The Alert Viewer applet program is named DTALERT.EXE. The program comes in both 32 and 64-bit versions. If your Domain Time II Manager is 64-bit, the 64-bit version will be located in the C:\Program Files\Domain time II\ folder, and the 32-bit version will be in the C:\Program Files\Domain time II\i386\ folder. Conversely, if your Domain Time II Manager is 32-bit, the 32-bit version will be in the C:\Program Files\Domain time II\ folder, and the 64-bit version will be in the C:\Program Files\Domain time II\AMD64\ folder.

          You may copy the DTALERT.EXE file to any machine you'd like (be sure to copy the correct 32 or 64-bit version to match the type of machine), and then run it to configure the clock display and current alert status of your Audit Server(s). You may run as many copies of DTALERT.EXE on various machines as you need.

          The program will display the current date and time on your desktop along with a colored flag representing the current alert level. The Alert Viewer shows the current overall alert status present on your monitored Audit Servers. The flag next to the clock will change color to reflect the worst reported status of any monitored system (green, yellow, or red). A white flag indicates the software cannot contact any Audit Servers. As of 5.2.b.20170101, you can also enable audio alerts to be notified by a sound when the status changes.

          Double-click any part of the clock display to show the alert status of the individual machines providing Real-Time alerts to the monitored Audit Server(s).

          Note: The software only reports alert status. To reset or configure alerts, you must use the Manager on the the Audit Server machine(s) actually collecting the Real-Time alerts.

          To configure the program options, run DTALERT.EXE and right-click on any part of the clock to display the context menu.

          • Clock - These context menu items let you control the appearance and function of the desktop clock display. You can set attributes such as font, color, background, opacity, etc.

          • Status - These settings control the display of alert data from your selected Audit Server(s).

            • Visible - sets whether the Real-Time Alert Viewer status windows is open and visible. This window displays the status of all machines reporting real-time alerts to your selected Audit Server(s). You can toggle whether this window is open by double-clicking on any part of the clock display.

            • Servers - This is where you tell the viewer which Audit Server(s) you want it to monitor for alerts. Enter the DNS Name or IP address of each Audit Server. Note that Alert Sharing over port 9910 TCP must also be enabled on each listed Audit Server (see above).

            • Date/Time Format - This lets you set the format for all dates and times displayed on the status viewer.

          • Start at Logon - When this item is checked, the Alert Viewer will automatically load whenever you log in.

      Auto-Acknowledgement of Resolved Alerts

       Auto-Acknowledgement of Resolved Alerts 

      Real-time alerts that resolve themselves change from red to yellow, and normally stay yellow to let you see that an error had occurred. You may acknowledge warnings using Manager, or have Audit Server do it automatically.

      Auto-Acknowledge enabled
         Wait: minutes after last error occurred.

      If this option is enabled, Audit Server will automatically acknowledge Real-Time Alert warnings for machines that are not still in an error state. The machines will return to green status after the period of time you specify here. If unchecked, machines that had an issue will stay in the yellow warning state until manually acknowledged using Domain Time Manager.


Alert Actions

 Alert Actions 

Audit Server can raise an alert in several different ways. Choose the kinds of alerts you want to receive.

Record details in the Event Viewer log
Send an email alert notice
Send an SNMP trap

Community:
Server:

    Choose your desired alert method in this section. You can also enable/disable these items directly on the Audit Server -> Alerts menu.

    The SNMP alerts and Email items require additional configuration.

    SNMP Configuration
    Enter the SNMP community name and password used by your Network Management System (NMS), as well as its DNS name or IP address. Your community name and password must match the one in use by the receiving system.

      Best Practices for SNMP include using a unique community name and hard-to-guess password on production systems. The default community public should only be used for initial testing. Although Domain Time only sends outgoing trap information and is therefore not susceptible to SNMP remote control vulnerabilities, you should still be mindful of SNMP security for the benefit of your other SNMP devices.

      The Domain Time MIB File

      Domain Time comes with a MIB file that you can use to compile on your SNMP monitoring system so that your traps are interpreted correctly. The MIB text file is generated when you click the button on the Server or Client Control Panel applet so you don't need to worry about locating it in some obscure installation folder or having online access.


    Email Configuration
    Click the button to configure your Email Settings.

      You must configure these email settings before Audit Server can send notification emails.

        Set the From address

        Email Setup From and Format Selection
        Email Setup From and Format Selection   [Click for larger size]

        Specify the From: email address that will appear on the notification emails. You can also specify the format and MIME part order of the emails:

        • Plain Text
        • Text part followed by HTML part
        • HTML part followed by Text part

          Choose the format that provides the best compatibility with your email system.

         
        Set the TO/CC/BCC distribution lists

        Email Recipients List
        Email Recipients List   [Click for larger size]

        Use the To, CC, and BCC tabs to add the email addresses of your desired recipients.

         
        Set the Outgoing Server

        Outgoing SMTP Server Settings
        Outgoing SMTP Server Settings   [Click for larger size]

        Enter the server address and account login information required for Audit Server to send outgoing mail through your SMTP server.

         
        Optional: Real-Time Alert and Daily Summary distribution lists

        Real-Time Alerts/Summaries Distribution List Settings
        Real-Time Alerts/Summaries Distribution List Settings   [Click for larger size]

        As of version 5.2.b.20160922, Audit Server has the ability to send Real-Time Alert and Daily Summary emails to a different distribution list than the addresses used in the TO/FROM/BCC settings. To use this feature, uncheck the Use To/CC/BCC list... checkbox and enter the email addresses you want to use for the distribution list. If enabled, Real-Time Alerts and/or Daily Summaries will only go to the addresses listed here, they will no longer be sent to the TO/CC/BCC address lists.

         
        Send Test Email
        Once you have entered all of the above information, click the Send Test Email button to generate a test email.

        If your test email encounters any errors, you'll receive a pop-up window showing the entire SMTP conversation so you can easily troubleshoot the problem:

        Send Test Email, Showing SMTP Error
        Send Test Email, Showing SMTP Error   [Click for larger size]

         
        Check the email queue to troubleshoot delivery issues

        Email Queue Settings and Email Logs
        Email Queue Settings and Email Logs   [Click for larger size]

        This page contains the settings for the email queue and email logs.

          The Queue Folder: specifies the location of the folder where outgoing emails are queued. The email.log trace file is also kept in this folder.

        Note: In most cases, you will not need to adjust this location. If you do decide to change the folder location, you must pick a location on a local disk (not a networked share) with sufficient permissions (Change) granted to the Audit Server service account so that it is able to manage the queues.

        Use the SMTP Trace:  drop-down list to select the level of detail you want to keep in the email.log trace file. In general, you should only enable the trace file if you are troubleshooting an email delivery issue. Otherwise, your email.log file may grow to an unmanageable size over time.

        Use the Open or Browse buttons to open the queue folder and locate the email.log file, which is a plain text file you can open in any editor, such as Notepad.

         


        Advanced Configuration: Email-related registry settings
        Depending on your email server configuration, you may also need to adjust these additional settings in the Windows registry.

        Email registry settings are located in the HKEY_CLASSES_ROOT\Gap\GWServiceSMTP key.

          TLSIgnoreCertErrors (REG_DWORD)
          Introduced in v5.2.b.20140922 with default=0 (ignore no errors). As of v5.2.b.20160711, the default changed to 0x311 (accept certs that are self-signed, expired, or have the wrong CN)

            If this value is zero, the server cert must pass all tests. If the value is non-zero, it is a bitmask specifying which particular types of errors may be ignored. See Microsoft's documentation for a list of certificate errors that may be ignored. Use a logical OR to combine multiple values.

            • 0x00000080 - Ignore errors associated with certificate revocation
            • 0x00000100 - Ignore errors associated with an unknown (or self-signed) certificate authority
            • 0x00000200 - Ignore errors associated with wrong use of a certificate
            • 0x00001000 - Ignore errors associated with an invalid/mismatched common name
            • 0x00002000 - Ignore errors associated with an expired certificate

            You may set the value to 0x10000000 in order to regain strict certificate checking, 0x0000FFFF to disable certificate checking altogether, or any combination of the above values.

          TLSAcceptableProtocols (REG_DWORD)
          Introduced in v5.2.b.20160711. This is a bitmask of acceptable encryption protocols. The default value is 0x0AA0. Use a logical OR to combine multiple values.

            • 0x00000002 - PTC1 (not recommended)
            • 0x00000008 - SSL2 (not recommended)
            • 0x00000020 - SSL3 (not recommended, but included in default for backward compatibility)
            • 0x00000080 - TLS 1.0 (not recommended, but included in default for backward compatibility)
            • 0x00000200 - TLS 1.1
            • 0x00000800 - TLS 1.2
            • 0xFFFFFFFF - any available protocol (not recommended)

          FQDN (REG_SZ)
          Introduced in v5.2.b.20160711. This value contains the name to use during SMTP envelope negotiations; specifically, it is the name presented as the HELO or EHLO name immediately after receiving the server's greeting.

            In previous versions, the name used was the sending machine's fully-qualified host name. However, workgroup members or machines just starting may only have a bald hostname available. This new value is set the first time an email is sent, and used thereafter for all subsequent emails. If a fully-qualified name is not discoverable, then Domain Time will use either a dotted-quad IP enclosed in brackets, or the computer name followed by .smtp.local. RFC 2821 section 4.1.1.1 requires one of these two forms. You may change the name if your particular email server requires an externally-verifiable DNS name to be presented.

      As of v5.2.b.20170522, you may also customize the subject lines of your alert emails by making a change in the registry. See the SMTP section of the registry documentation.


    IP Restrictions
    Click the button to restrict which systems are allowed to contact Audit Server.

 

Next Proceed to the Data Collection page
Back Back to the Configure Audits page

Domain Time II Software distributed by Microsemi, Inc.
Documentation copyright © 1995-2017 Greyware Automation Products, Inc.
All Rights Reserved
All Trademarks mentioned are the properties of their respective owners.