NetWitness Community

RenatoGoncalves · ‎2018-12-20

I created policies for monitoring Windows Events.

I created a high threshold of 2111111111 events in 30 minutes and it fires up constantly.

The thing is: in investigate i searched for events in a minute and i get 20000. 20000x30 minutes gives me 630000.

So the question is how does te monitoring policies work to fire up the alarm for 2111111111??

someone · ‎2018-12-21

From experience I've seen than this is not working properly if the value in your threshold is either too high or too low.

For example if you specified 5 or 500000000 it might not work as if you did with 100 or 500000.

Try to use as realistic values as possible for your environment and do a lot of testing before you can rely on this.

david_waugh · ‎2018-12-21

I know we had a case where the alarm would not clear and this was apparently fixed in 10.6.6, which we have yet to go to.

This means that if the event source recovered, you would still get alarms!

RenatoGoncalves · ‎2018-12-21

The thing is Marinos,

I already setup the max threshold to various numbers: 1000000, 630000, 1000000, etc and it still fires a lot.

I want it to stay with a number that could be dangerous to the stability of the system....and for now im receiving messages for high threshold many many time a day.

RenatoGoncalves · ‎2018-12-21

Im using 11.2. Does this version has te same problem?

someone · ‎2019-01-04

If engineering have not replicated the issue and fixed it, then yes, it will be copy pasted to all versions.

NetWitness Community

Monitoring Policies