Incident Triggers are definitions of significant events that should be recorded by ControlUp. Each trigger includes a list of conditions which specify when will the incident be recorded and which follow-up actions will be performed at that time. The Triggers Settings window is used to define those triggers, while the Incidents Pane is used for viewing and analyzing the resulting incidents.
Cloud Analytics Triggers
ControlUp offers built-in incident triggers supplied by ControlUp Cloud Analytics. These triggers are based on vendor recommendations and industry best practices. For example, a “Citrix XenApp Events” trigger delivered by Cloud Analytics defines all event log entries recommended for monitoring by Citrix. From time to time, those triggers will be updated to include new known issues and best practices. The idea behind Cloud Analytics is to provide ControlUp users with information about events that are known to correspond to known issues.
ControlUp users can configure their own incident triggers to record irregularities, errors, performance issues and other events specific to the monitored environment. Incident triggers are stored in the organization’s public configuration set, meaning that there is only one set of triggers shared by all users in a ControlUp organization. In order to make changes to the triggers, the user needs the “Configure Incident Triggers” organization-wide permission.
Creating and Modifying an Incident Trigger
Step 1: Selecting an Incident Type
In order to create an incident trigger, click on the “Add Trigger” button on the “Triggers Settings” window. A New Incident Trigger wizard will open. The first stage in creating a trigger is choosing the incident type. The following incident types are supported:
- Stress Level – captures an increase in a record’s Stress Level value. This type of incident applies to all record types in ControlUp (Folders, Hosts, Computers, Sessions, Processes, Executables and Accounts). Choose this trigger to capture all types of performance issues, such as excessive resource consumption.
- Windows Event – captures entries recorded in the operating system event logs of your managed computers. Select this trigger in order to record Windows event log entries for later analysis or troubleshooting.
- Computer Down – this trigger is activated when a computer monitored by ControlUp becomes unavailable, for any reason.
Note: incidents of this type are only recorded by ControlUp Monitor, because continuous monitoring is required in order to detect a “Computer Down” event and ControlUp Console is not intended for continuous monitoring.
- Process Started – this trigger is activated when a process matching a defined set of criteria is started on any of the managed computers.
- Process Ended– this trigger is activated when a process matching a defined set of criteria is terminated on any of the managed computers.
- User Logged On – this trigger is activated when a user logs on to one of your managed computers.
- User Logged Off– this trigger is activated when a user logs off from one of your managed computers.
- Session State Changed – this trigger is activated when a user session’s state changes on one of your managed computers.
- Advanced - This trigger is activated when a custom set of conditions applies to a row in ControlUp's information grid. Use this trigger type to capture a scenario which is not covered by any other trigger type.
Step 2: Configuring Incident Details
For Stress Level triggers, configure the following details:
- Record type – the kind of ControlUp record to which the trigger applies (Folder, Computer, Session, Process, Account or Executable).
- Stress Level – the minimum Stress Level threshold to trigger the incident.
- Duration – the minimum period during which the record needs to stay above the configured stress level.
For Computer Down triggers, select one of the following reasons:
- Agent down
- Connection dismissed
- Organization restriction
For Session State Changed triggers, configure the following details:
- From State – the state of the user session before the change
- To State – the state of the user session after the change
Step 3: Adding Filtering Criteria
For every trigger, you may configure an advanced filter using any combination of criteria, which will be evaluated against all the properties of the affected records. For example, you might want to configure a Stress Level trigger which only captures the activity of processes with a certain name or a Windows Event trigger which only captures specific event IDs.
The Filter Editor is a window in which you can configure your criteria. This window is similar to the “Item Level Targeting” filter control used in Microsoft Windows Group Policy Management Console (GPMC), and uses the same logic.
Note: when configuring search criteria on a string attribute, please note the following behavior of wildcards
|Search string||Will match||Will not match|
|test||test||any string except “test”|
|test*||test1test1111test1111test111(or any other string in which “test” is followed by one or more characters)||test1test111test(any string which ends with “test”)|
|*test||1test111test1test1111test111(or any other string in which “test” is preceded by one or more characters)||testtest1test111(any string which begins with “test”)|
Step 4: Configuring Trigger Scope and Schedule
Using the Scope drop-down box you can select which folder the trigger applies to. The “Include all child folders” checkbox controls whether this settings applies to the entire folder structure under the selected folder. By default, any newly created trigger applies to the entire organization.
The Schedule drop-down box allows you to select when an incident will be active. By default, any newly created triggers are active at all times (“All Days” schedule). Using the “Add New Schedule” option, you can define a new time pattern.
Step 5: Adding Follow-up actions
Every trigger may include one or more follow-up actions. The following actions are available:
- Send an e-mail alert – delivers an e-mail with the incident details to the selected recipients. A valid recipient has to be a ControlUp user in your organization who has verified its e-mail address by activating their ControlUp account. This follow-up action uses ControlUp Hybrid Cloud services for the delivery of alerts and does not require a local mail server.
- Send a mobile push notification – delivers an alert to your mobile devices using ControlUp Mobile Apps. For more information please refer to the Mobile Apps documentation page.
- Dump view/s to disk – when the incident is triggered, this follow-up action will save the contents of the selected ControlUp views to the disk as a comma-delimited file.
- Record an event in the Application Log – will create a new log entry in the Windows Application Log of the computer that detected the incident.
- Play a sound alert in the console – if ControlUp console is open when the incident is detected, the console will play the selected sound file.
- Send an e-mail alert using a local SMTP server – delivers an e-mail alert with the incident details to any number of valid e-mail addresses, via a user-configured SMTP server. This will occur only if your organization includes an active instance of ControlUp Monitor which has been configured with sufficient connection details and credentials to send messages using the SMTP server.
Note: incidents will be recorded in your organization’s incidents database for later analysis, even if no follow-up actions are configured.
Step 6: Set a name and description for the trigger
A name and description will be automatically generated for every trigger. It is recommended that you review the name and description in order to ensure that you will be able to identify the trigger when you receive alerts or analyze incidents.