Viewing Global Events

Download this manual as a PDF file

This section describes how to view events in the SL1 Global Manager system. You can view events on the Events page, which you can access by clicking the Events icon ().

Use the following menu options to navigate the SL1 user interface:

  • To view a pop-out list of menu options, click the menu icon ().
  • To view a page containing all the menu options, click the Advanced menu icon ().

This section includes the following topics:

Viewing the Global List of Events

The Events page displays a list of active events, from critical to healthy. From this page you can acknowledge, clear, and view more information about an event. You can also view events by organization to focus only on the events that are relevant to you.

By default, the events listed on the Events page are sorted by severity, highest to lowest, and then secondarily sorted by the events' last occurrences, most recent to least recent. This ensures that the most severe and most recent events appear at the top of the page. If you prefer, you can change the sorting preferences and SL1 will recall those changes the next time you return to the Events page.

To navigate to the Events page, click the Events icon ():

In a Global Manager system:

  • When the Global View button on the Events page is toggled on, you can view a list of events that have occurred across all of the stacks in your Global Manager system.
  • When the Global View button on the Events page is toggled off, you can view a list of events that have occurred only on the Global Manager system itself.

If you are looking for a specific set of events, click the gear icon () to the right of the Search field and select Advanced. In this mode, you can create an advanced search using "AND" or "OR" operators for multiple search criteria. For more information, see Performing an Advanced Search.

For each event, the Events page displays the following information:

  • Organization. The organization with which the event is associated. Click the organization hyperlink to view more information about the organization.
  • Severity. The severity of the event. Possible values are:
  • Critical. Indicates a condition that can seriously impair or curtail service and requires immediate attention (for example, service or system outages).
  • Major. Indicates a condition that impacts service and requires immediate investigation.
  • Minor. Indicates a condition that does not currently impair service but needs to be corrected before it becomes more severe.
  • Notice. Indicates a condition that does not affect service but about which users should be aware.
  • Healthy. Indicate that a device or condition has returned to a healthy state. Frequently, a healthy event is generated after a problem has been fixed.

Optionally, you can filter the list of events so that only events of a specific severity level appear on the Events page. For more information, see the section Filtering Events by Severity.

  • Name. The name of the entity associated with the event. Click the name hyperlink to view more information about the entity.
  • Message. The message generated for the event. Click the message hyperlink to go to the Event Investigator, where you can view more information about the event, including a description, the probable cause for the event, and possible resolutions, among other things.

You can also view the Event Investigator page by clicking the Actions button () for the event and selecting View Event.

  • Age . The number of days, hours, and minutes since the first occurrence of the event. This is also the time since the event occurred without the event having been cleared.
  • Count. The number of times the event has occurred or the number of child events associated with the event or the number of masked events associated with the event.
  • Event Note. Click the Note icon () to view any existing user-defined notes about the event or to create or edit a note about the event. When you do so, the Edit Event Note modal page appears, where you can create or edit a note and save your changes. For more information, see the section Viewing and Editing Event Notes.

You can also view, create, or edit event notes by clicking the Actions button () for the event and selecting Edit Event Note.

  • Masked Events. If the event has occurred multiple times on the same device that uses the event mask setting, click the magnifying glass icon () or the Masked hyperlink to go to the Event Investigator page, where you can view details about the masked events. For more information, see the section Filtering for Masked Events.

You can also view masked events on the Event Investigator page by clicking the Actions button () for the event and selecting View Event.

  • Automated Actions. The number of times the event has triggered the execution of an automation policy. If the event has triggered one or more automated actions, click the number hyperlink to go to the Event Actions Log, where you can view a log of all automated actions that have occurred for the event. For more information, see the section Viewing Automated Actions.

You can also view the Event Actions Log modal page by clicking the Actions button () for the event and selecting View Automation Actions.

  • Event ID. The unique ID for the event, generated by SL1. Click the ID hyperlink to go to the Event Investigator. In a Global Manager system, when the Global View button is toggled on, the event ID will be preceded by a number and an underscore, where the number preceding the underscore represents the stack on which the event occurred.

  • Event Source. The system or application that generated this event. Possible values are:
  • Syslog. The event was generated from a system log generated by a device.
  • Email. The event was generated by an email from an external agent. For example, Microsoft Operations Manager (MOM).
  • Internal. The event was generated by SL1.
  • Trap. The event was generated by an SNMP trap.
  • Dynamic. The event was generated by a Dynamic Application collecting data from the device.
  • API. The event was generated by a snippet Run Book Action, a snippet Dynamic Application, a request to the ScienceLogic API, or by an external system.
  • SL1 agent. The event was generated by log file messages collected by the SL1 agent. For more information about creating Log File Monitoring Policies to monitor log file messages collected by the agent, see the section on Monitoring Device Logs Using an Agent.

    Event Type. The type of entity associated with the event. Possible values are:
  • Organizations
  • Devices
  • Assets
  • IP networks
  • Interfaces
  • Business Service
  • IT Services
  • Device Services
  • Vendors
  • User Accounts
  • Virtual Interfaces

  • Last Detected. The date and time at which the event last occurred on the entity.
  • Ticket External Reference. The numeric ID associated with a ticket from an external ticketing system (that is, a ticket that was not created in SL1). Click the ticket reference value to view the external ticket in a new window.

NOTE: To link an external ticket to an event, you must create a custom Run Book Automation policy and a custom Run Book Action or use the ScienceLogic APIs. For more information, see the Configuring Global Manager for Event Ticketing section. For help with these tasks, contact ScienceLogic Customer Care.

  • Ticket ID. The ticket ID of the ticket that has been created for the event, if applicable.
  • Stack Name. The name of the stack on which the event occurred.
  • Stack ID. The numeric ID of the stack on which the event occurred.
  • Acknowledge. If the event has not been acknowledged, this column displays an Acknowledge button; click the button to acknowledge the event. If the event has been acknowledged, this column displays a check-mark character and specifies the user who acknowledged the event. For more information, see the section Acknowledging and Clearing Events.
  • Clear. Click the Clear button to clear the event. When you do so, the event is removed from the Events page. For more information, see the section Acknowledging and Clearing Events.

To rearrange the columns in the list, click and drag the column name to a new location. You can adjust the width of a column by clicking and dragging the right edge of the column. For more information about editing and adding columns, see Editing the Settings for an Inventory Page.

Searching and Filtering the List of Events

This section explains how to filter the list of events so you can quickly locate and address any potential issues in your environment.

Filtering Events by Severity

The Events page displays a list of currently active events, which can be sorted by any column, such as severity from critical to healthy. You can filter the list of events by severity by clicking one or more of the five colored buttons near the top of the Events page:

Image of the Events tab and the five severity filters

When you click a severity button, the list displays only events with the severity you selected. The severity button you clicked remains in color, while the other buttons turn gray.

To clear a severity filter, click the View All link next to the severity buttons.

The following color codes are used throughout SL1:

  • Red elements have a status of Critical. Critical conditions are those that can seriously impair or curtail service and require immediate attention (such as service or system outages).
  • Orange elements have a status of Major. Major conditions indicate a condition that is service impacting and requires immediate investigation.
  • Yellow elements have a status of Minor. Minor conditions dictate a condition that does not currently impair service, but needs to be corrected before it becomes more severe.
  • Blue elements have a status of Notice. Notice conditions indicate a condition that users should be aware of, but the condition does not affect service.
  • Green elements have a status of Healthy. Healthy conditions indicate that a device or service is operating under normal conditions. Frequently, a healthy condition occurs after a problem has been fixed.

Filtering for Masked Events

When a device uses the event mask setting, events that occur on a single device within a specified span of time are grouped together, and only the event with the highest severity is displayed on the Events page. This allows related events that occur in quick succession on a single device to be rolled-up and posted together under one event description. For example, if a device cannot connect to the network, multiple other services on the device will raise events. SL1 would display the event with the highest severity and roll up all the other events.

On the Events page, any event that contains masked events includes a magnifying glass icon () and the word "Masked" in the Masked Events column:

Click the Select Columns icon () to add the Masked Events column, if it is not currently visible.

To view more information about masked events:

  1. On the Events page, click the magnifying glass icon () or the Masked link in the Masked Events column for the relevant event. The Event Investigator page for that event appears.
  1. Scroll down to the Masked events section to view the details about the masked events:

Viewing Additional Data about an Event

On the Events page, you can click the down-arrow icon () next to the name of an event to open a drop-down panel called the Event Drawer. The Event Drawer contains additional data about that event:

Image of the Event Drawer

NOTE: The Event Drawer displays only for events that are aligned with devices.

On the Event Drawer, you can access the following panes:

  • The Vitals pane displays graph data for the past 24 hours of CPU and memory usage for the device related to the event. You can zoom in on a shorter time frame by clicking and dragging your cursor over a timeframe, and you can go back to the original time span by clicking the Reset zoom button.
  • The Tools pane enables you to run a set of network diagnostic tools or user-initiated actions in the Activity Center. Click the search bar to search for a tool or action to run, or click one of the default tools or actions that are available based on the device type and your user permissions. For more information, see the section on Using the Action Runner.
  • The Logs pane displays a list of the log entries from the device's log file, sorted from newest to oldest by default.

Viewing Automation Actions

To view a log of automated actions that have occurred for an event, on the Events page, click the Actions button () for the event and select View Automation Actions. When you do so, the Event Actions Log modal page appears.

You can also view the Event Actions Log modal page by clicking the hyperlink in the Automated Actions column for a particular event on the Events page.

The Event Actions Log displays a history of all automation actions that SL1 executed in response to the event.

Each entry in the Event Actions Log modal page includes:

  • The date and time when the action was executed
  • The automation policy that triggered the action
  • The name of the action policy
  • The result of the action

Refreshing the Events Page

You can refresh the Events page manually or set it to auto-refresh.

To refresh the Events page manually, click the Auto Refresh icon and select Refresh Now.

To enable auto-refresh:

  1. On the Events page, click the Auto Refresh drop-down menu.
  2. In the Refresh interval drop-down, select the desired refresh interval for the page. Options range from 10 seconds to 60 minutes.

Customizing the Events Page

You can deselect columns that you do not want to see in the Events page, and select additional columns including custom attributes.

To select columns:

  1. Click on the gear icon () in the top left of the Events page.

  2. In the Columns menu, select the columns you want to add or deselect columns you want to hide. If you can't find a column, use the search field to find it by name. If you have created any Custom Attributes, these will appear in this list as well:

NOTE: For more information about Custom Attributes, see the section on Custom Attributes.

  1. When you have finished making your selections, click outside the Columns menu to close it.

Using the Event Investigator

The Event Investigator page provides details about the event as well as the device associated with the event, where relevant. The Event Investigator page includes sections for Probable Cause & Resolution, Tools, Logs, Notes, Assets, a Vitals widget, and a list of masked events:

To get to the Event Investigator page, click the linked text in the Message column of the Events page, or click the Actions button () for the event and select View Event.

The top pane of the Event Investigator page contains basic event details. From this pane, you can also acknowledge or clear the event.

On the Event Investigator page, click the name of an aligned device to go to the Investigator page for that device. You can also click the name of the aligned organization to view its Organizational Summary page.

The Event Investigator page includes the following sections:

  • Probable Cause & Resolution. Displays additional information about the event, based on the event policy.
  • Tools. A set of network diagnostic tools or user-initiated actions that you can run on the device associated with the event. Click the search bar to search for a tool or action to run, or click one of the default tools or actions that are available based on the device type and your user permissions. This pane is the same as the Tools pane of the Event Drawer. For more information, see the section on Using the Action Runner.
  • Logs. A list of log entries from the device's log, sorted from newest to oldest by default.
  • Note. A text field where you can add new text and edit existing text related to the event and the device associated with the event. For more information, see Viewing and Editing Event Notes.
  • Assets. One or more asset records associated with the device, such as a piece of equipment owned by an organization. The asset record includes contact information for the technician, administrator, and vendor for that device. You can click the name of an asset to view an Asset page for more information.
  • Vitals. A widget that displays the past 24 hours of CPU and memory usage for the device related to the event. You can zoom in on a shorter time frame by clicking and dragging, and you can go back to the original time span by clicking the Reset zoom button.
  • Masked events. A list of all masked events for the device. When a device uses the event mask setting, events that occur on a single device within a specified span of time are grouped together, and only the event with the highest severity is displayed in the Events page. This allows related events that occur in quick succession on a single device to be rolled-up and posted together under one event description.

Using the Action Runner

You can access the Action Runner from either the Events page or the Event Investigator page. The Action Runner enables you to run a set of diagnostic tools or user-initiated actions, or to click on custom links that will open related records in external systems in a separate browser window.

NOTE: The tools and actions that are available in the Action Runner are based on the device type and your user permissions, as determined by your organization assignment and access hooks. For example, if a device does not have an IP address, only the Availability tool will be available.

NOTE: For more information about user-initiated actions, see the section on User-Initiated Automations.

To use the Action Runner:

  1. Access the Action Runner for events in one of the following ways:
  • On the Action Runner page, open the Event Drawer for a particular event. Click the search bar in the Tools pane.
  • On the Action Runner page, click the search bar in the Tools pane.
  • Click Activity in the navigation bar at the top of any page in SL1. Click the search bar.
  1. When you click the search bar, a list displays the default tools, actions, or custom links that are available for the selected device. Click one of these tools, actions, or custom links, or use the search bar to search for a tool or action that is not listed. The following default tools are available in the Action Runner:
  • Availability. Displays the results of an availability check of the device, using the port and protocol specified in the Availability Port and Availability Protocol fields on the Settings tab for this device.
  • Ping. Displays statistics returned by the ping tool. The ping tool sends a packet to the device's IP address (the one used by SL1 to communicate with the device) and waits for a reply. SL1 then displays the number of seconds it took to receive a reply from the device and the number of bytes returned from the device. If the device has an IPv6 address, SL1 uses the appropriate IPv6 ping command.
  • Who Is. Displays information about the device's IP, including the organization that registered the IP and contacts within that organization.
  • Port Scan. Displays a list of all open ports on the device at the time of the scan.
  • Deep Port Scan. Displays a list of all open ports and as much detail about each open port as the deep port scanner can retrieve.
  • ARP Lookup. Displays a list of IP addresses for the device and the resolved Ethernet physical address (MAC address) for each IP address.
  • ARP Ping. Displays the results from the ARP Ping tool. The ARP Ping tool is similar in function to ping, but it uses the ARP protocol instead of ICMP. The ARP Ping tool can be used only on the local network.
  • Trace Route. Displays the network route between SL1 and the device. The tool provides details on each hop to the endpoint. If the device has an IPv6 address, SL1 uses the appropriate IPv6 traceroute command.

The tools found in the Action Runner can also be found in the Device Toolbox in the classic SL1 user interface.

  1. If you clicked a custom link, the link opens in a new browser window or tab. If you clicked on a tool or action, then as it runs, its progress and results appear in a log in the Activity Center.
  2. After the tool or action has run, if you want to run it again, click the Run Again button. This button appears only for activities completed during your current session.

Image of the Activity Center

The left pane of the Activity Center displays a list of devices for which you have most recently used the Action Runner, with the current device at the top of the list. To use the Action Runner for any of the other recently used devices or to view historical logs for the tools or actions that have been run on those devices, click on the device name.

Responding to Events

When events occur, there are multiple ways you can respond to them when in Global View mode:

  • Acknowledge. Lets other users know that you are aware of an event and are working on a response.
  • Add a Note. Adds custom text to an event. You can view notes from the Events page or the Event Investigator page. You can also include notes in automation actions.
  • Clear. Removes an instance of an event from the Events page. The cleared instance is no longer displayed.
  • Create External Ticket. Creates a new ticket for the event if you are using an external ticketing system instead of SL1. For more information, see the section on Events and Tickets.
  • Align External Ticket. Aligns this event with an existing ticket if you are using an external ticketing system instead of SL1. For more information, see the section on Events and Tickets.

Selecting Multiple Events

On the Events page, you can use the checkboxes to the left of the event to select more than one event at a time. After you select the events, you can click the Acknowledge or Clear button at the bottom of the page to acknowledge or clear those events simultaneously.

If you do not want to acknowledge or clear the selected events, click the Deselect All button to deselect the checkboxes.

If you want to select all of the events that are currently showing on the tab, click the Select All Visible button.

Acknowledging and Clearing Events

When you acknowledge an event, you let other users know that you are aware of that event, and you are working on a response. 

When you clear an event, you let other users know that this event has been addressed. Clearing an event removes a single instance of the event from the Events page. If the event occurs again on the same device, it will reappear in the Events page.

If the same event occurs again on the same device, it will appear in the Events tab, even if you have previously cleared that event.

When you acknowledge a parent event, all masked events under that parent event are also acknowledged.

To acknowledge and clear events:

  1. To acknowledge an event, find the event on the Events page and click the Acknowledge button for that event. Your user name replaces the Acknowledge button for that event:

Image of the Acknowledge button after you acknowledge an event

You can also click the Acknowledge button in a specific event's Investigator page.

  1. To see when an event was acknowledged and who acknowledged it, hover your mouse over an acknowledged field.
  2. If an event was acknowledged by another user and you have the relevant permissions, you can click the Reacknowledge button to acknowledge that event.
  3. To clear an event, click the Clear button. The event is removed from the Events page.

If you want to hide the Acknowledge or Clear buttons on the Events page, click the Select Columns icon (Image of the Choose Columns icon) and deselect those columns.

Viewing and Editing Event Notes

From the Events page, you can access event notes, which contain event definitions, probable causes, and resolutions for the event, along with a text field where you can add more information about the event or the device you are monitoring. If event notes already exist for that event, the opening text of that note appears in the Event Note column of the Events page.

To view or edit an event note:

  1. On the Events page, click the Note icon () for that event.  The Edit Event Note window appears:

Image of the Edit Event Note window

You can also edit an event note on the Events page by clicking the Actions button () for that event and selecting Edit Event Note. This is helpful if you have hidden the Event Note column on the Events page.

  1. Type your additional text for the event note and then click Save. The event note is updated.

Creating and Aligning Event External Tickets

If your Global Manager system has the necessary configuration, you can create an external ticket from an event while in Global View mode.

To create and align event external tickets, on the Events page or the Event Investigator page for a specific event, click the Actions button () for the event and do one of the following:

  • Select Create External Ticket. When you do so, SL1 sets a "request" flag for the ticket and displays an acknowledgment that a new ticket has been requested. You can then use the "request" in run book logic to create the ticket on the external system.
  • Select Align External Ticket. When you do so, the Align External Tickets modal appears. From the drop-down list, select the existing external ticket that you want to align to the event, and then click Align. (Alternatively, if you want to unalign an external ticket, select the external ticket from the drop-down list and click Unalign.)

The external ticket references that are available for selection in the Align External Tickets modal come from a unique list that is a combination of all available external ticket references in all stacks across your Global Manager system. If a stack returns the same reference as another stack, only one entry for that reference will appear in the list.

If a stack in your Global Manager system does not have the Create/View External Ticket option selected in the Event Console Ticket Life Ring Button Behavior setting, an error message will appear if you attempt to create an external ticket for an event that originated on that stack.

You can bulk align/unalign tickets to multiple events that originate from the same stack. To do so, select one or more events from the Events page and then click Align or Unalign at the bottom of the page. If you attempt to align/unalign tickets to multiple events that originate from different stacks, you will receive an error message.