DX Unified Infrastructure Management

Expand all | Collapse all

how to correlate two alerts for cpu utilization?

  • 1.  how to correlate two alerts for cpu utilization?

    Posted Oct 31, 2016 04:51 AM

    Currently CPU utilization is getting monitored through CDM probe. We are getting alerts whenever MC AFEE antivirus is doing full scan on weekend. We have configured mcshield process monitoring to understand if the alert is generated because of the process is being utilized by the antivirus.

     

    Now we are getting two alerts for the same issue and i want to correlated both alerts to generate only one in such scenario.

     

    Any suggestions?

     

    Regards,

    Imran



  • 2.  Re: how to correlate two alerts for cpu utilization?



  • 3.  Re: how to correlate two alerts for cpu utilization?

    Broadcom Employee
    Posted Nov 02, 2016 08:16 AM

    Hi Imran, If your query has been answered please mark this as correct.



  • 4.  Re: how to correlate two alerts for cpu utilization?

    Posted Nov 07, 2016 06:18 AM

    Hi Darryl,

     

    I want to know if I can correlate alerts in uim at the first stage.

     

    Regards,
    Imran



  • 5.  Re: how to correlate two alerts for cpu utilization?

    Posted Nov 08, 2016 03:07 AM

    Hi Imran,

     

    If your requirement is to know which process is consuming top CPU when a threshold is exceeded at a certain time, only the cdm probe would do the job. If you are using the latest version of cdm you can by default pick up the top n process which is consuming the CPU when the threshold is exceeded and only one alert would be generated listing the top process in the alarm 

     

    Hope I understood your requirement correctly



  • 6.  Re: how to correlate two alerts for cpu utilization?

    Posted Nov 08, 2016 04:20 AM

    Hi Phani,

     

    Thanks for reply. I am not using CDM for process monitoring. I am using process probe and configured mcshield process profile to generate (Major) alert when mcafee utilize the cpu upto 50%. Besides I am using cdm probe to generate alert for total cpu utilization.

     

    Now i will have two alerts on the console and i want to generate only one alert with the information mentioned in the alert generated by process probe.

     

    I hope, this claries the requirement. I believe we can use AO in nas and do the customization but i need some help in this or if someone has done any correlation in AO then kindly suggest me something.

     

    Regards,

    Imran K



  • 7.  Re: how to correlate two alerts for cpu utilization?

    Posted Nov 08, 2016 04:43 AM

    Hi Imran,

     

    I did not exactly get why do you want to use two probes to monitor process and correlate them into a single alarm instead of using single probe and get one alarm 

     

    Also what is that you want to correlate from both the alarms get as a final output ?

     

    Are you expecting to see CDM probe monitoring cpu at 80% threshold and picking up the TOP 5 process and Procecss probe monitring mcshield process at 50% and if both the alarms are generated at the same time you want to corelate and generate a new alarm as  mcshield process being the main culprit? 

     

    Please clarify



  • 8.  Re: how to correlate two alerts for cpu utilization?

    Posted Nov 08, 2016 05:01 AM

    Hi Phani,

     

    FYI, we are getting frequent alerts because of mcafee on weekend when it starts full scan. We want to capture the information in the alert when the cpu related alert is generated because of mcafee.

     

    I tried using CDM probe but i guess, it is not recommended for process monitoring. Moreover i received multiple alerts from servers when we used the custom profile feature.

     

    Initially i want to setup 50% threshold for mcafee because i assume that there will be more processes utilizing the cpu. This is kind of testing initially and actual threshold will be decided after testing but before that i need to find a way to correlate both alerts then only i can proceed in this.

     

    Kind Regards,

    Imran k



  • 9.  Re: how to correlate two alerts for cpu utilization?

    Posted Nov 08, 2016 06:00 AM

    Hi Imran,

     

    When you see an alert as of below from cdm it would also include mcafee too along with the remaining process and will tell you what % of CPU that specific process is using when a spike occurs 

     

    Average (6 samples) total cpu is now 92.14%, which is above the error threshold (90%).Top Processes [mssdmn.exe[4656]-(36.33%)];[mssearch.exe[5464]-(22.17%)];[w3wp.exe[12392]-(20.83%)];[SavService.exe[11784]-(14.17%)];[wsstracing.exe[2996]-(1.83%)]

     

    Anyways I will leave this for more comments ..may be other have some better ideas 



  • 10.  Re: how to correlate two alerts for cpu utilization?

    Posted Nov 08, 2016 06:07 AM

    Btw this question is opened under SOI ..move it under UIM for better visibility 



  • 11.  Re: how to correlate two alerts for cpu utilization?

    Posted Nov 08, 2016 07:43 AM

    I wanted to check the feasibility in both uim and soi.



  • 12.  Re: how to correlate two alerts for cpu utilization?

    Posted Nov 20, 2016 10:56 AM

    Speaking to UIM, there are a number of ways to address this:

     

    have you considered using triggers and generating the alert off a logical combination of them? One trigger would be set based on the CPU usage out of CDM and the second trigger would be set based on the CPU usage of the McAfee process. Then you would generate the alarm off (First Trigger AND NOT Second Trigger). It's not a solution that scales because you have to generate the specific triggers but if this is a single point solution it might work.

     

    Another option would be to have an AO profile that closed both the CDM and Process alerts when the McAfee alert was received. If you put a long enough delay on whatever was configured to act based on the total CPU usage alert, you might get away with this - I do this in my configuration were UIM alerts are sent to Salesforce.com once they reach 80 seconds old - that gives me a window to clean up events that I can't prevent being detected at the source but don't want forwarded.

     

    -Garin