Events in the SL1 User Interface

Download this manual as a PDF file

You can view a list of all events in SL1 or view a list of events for a single device. This section describes how to perform both tasks.

Use the following menu options to navigate the SL1 user interface:

  • To view a pop-out list of menu options, click the menu icon ().
  • To view a page containing all of the menu options, click the Advanced menu icon ().

Viewing the List of Events

The Events page displays a list of currently active events, from critical to healthy. From this page you can acknowledge, clear, and view more information about an event. You can also view events by organization to focus on only the events that are relevant to you.

By default, the events listed on the Events page are sorted by severity, highest to lowest, and then secondarily sorted by the events' last occurrences, most recent to least recent. This ensures that the most severe and most recent events appear at the top of the page. If you prefer, you can change the sorting preferences and SL1 will recall those changes the next time you return to the Events page.

To navigate to the Events page, click the Events icon ():

The Events List View

For each event, the Events page displays the following information:

  • Organization. The organization with which the event is associated. Click the organization hyperlink to view more information about the organization. You can optionally filter the list of events so that only events for a specific organization appear on the Events page; for more information, see the section Filtering Events by Organization and Service.
  • Severity. The severity of the event. Possible values are:

  • Critical. Indicates a condition that can seriously impair or curtail service and requires immediate attention (for example, service or system outages).

  • Major. Indicates a condition that impacts service and requires immediate investigation.

  • Minor. Indicates a condition that does not currently impair service, but the condition needs to be corrected before it becomes more severe.

  • Notice. Indicates a condition that users should be aware of, but the condition does not affect service.

  • Healthy. Indicate that a device or condition has returned to a healthy state. Frequently, a healthy event is generated after a problem has been fixed.

    You can optionally filter the list of events so that only events of a specific severity level appear on the Events page; for more information, see the section Filtering Events by Severity.

  • Name. The name of the entity associated with the event. Click the name hyperlink to view more information about the entity.

  • Message. The message generated for the event. Click the message hyperlink to go to the Event Investigator, where you can view more information about the event, including a description, its probable cause, and possible resolutions, among other details.

    You can also view the Event Investigator page by clicking the Actions button () for the event and selecting View Event.

  • Age. The number of days, hours, and minutes since the first occurrence of the event. This is also the time since the event occurred without the event having been cleared.

  • Count. The number of times the event has occurred or the number of child events associated with the event or the number of masked events associated with the event.

  • Event Note. Click the Note icon () to view any existing user-defined notes about the event or to create or edit a note about the event. When you do so, the Edit Event Note modal page appears, where you can create or edit a note and save your changes. For more information, see Viewing and Editing Event Notes.

    You can also view, create, or edit event notes by clicking the Actions button () for the event and selecting Edit Event Note.

  • Masked Events. If the event has occurred multiple times on the same device that uses the event mask setting, click the magnifying glass icon () or the Masked hyperlink to go to the Event Investigator page, where you can view details about the masked events. For more information, see the section Filtering for Masked Events.

    You can also view masked events on the Event Investigator page by clicking the Actions button () for the event and selecting View Event.

  • Automated Actions. The number of times the event has triggered the execution of an automation policy. If the event has triggered one or more automated actions, click the number hyperlink to go to the Event Actions Log, where you can view a log of all automated actions that have occurred for the event. For more information, see the section Viewing Automated Actions.

    You can also view the Event Actions Log modal page by clicking the Actions button () for the event and selecting View Automation Actions.

  • Event Source. The system or application that generated this event. Possible values are:
  • Syslog. The event was generated from a system log generated by a device.
  • Email. The event was generated by an email from an external agent. For example, Microsoft Operations Manager (MOM).
  • Internal. The event was generated by SL1.
  • Trap. The event was generated by an SNMP trap.
  • Dynamic. The event was generated by a Dynamic Application collecting data from the device.
  • API. The event was generated by a snippet Run Book Action, a snippet Dynamic Application, a request to the ScienceLogic API, or by an external system.
  • SL1 agent. The event was generated by log file messages collected by the SL1 agent. For more information about creating Log File Monitoring Policies to monitor log file messages collected by the agent, see the section on Monitoring Device Logs Using an Agent.

    Event Type. The type of entity associated with the event. Possible values are:
  • Organizations
  • Devices
  • Assets
  • IP networks
  • Interfaces
  • Business Service
  • IT Services
  • Device Services
  • Vendors
  • User Accounts
  • Virtual Interfaces

  • Last Detected. The date and time at which the event last occurred on the entity.

  • Ticket External Reference. The numeric ID associated with a ticket from an external ticketing system (that is, a ticket that was not created in SL1). Click the ticket reference value to view the external ticket in a new window.

    To link an external ticket to an event, you must create a custom Run Book Automation policy and a custom Run Book Action or use the ScienceLogic APIs. For help with these tasks, contact ScienceLogic Customer Care.

  • Ticket ID. The ticket ID of the ticket that has been created for the event, if applicable.
  • Acknowledge. If the event has not been acknowledged, this column displays an Acknowledge button; click the button to acknowledge the event. If the event has been acknowledged, this column displays a check-mark character and specifies the user who acknowledged the event. For more information, see Acknowledging and Clearing Events.
  • Clear. Click the Clear button to clear the event. When you do so, the event is removed from the Events page.

You can filter the items on this inventory page by typing filter text or selecting filter options in one or more of the filters found above the columns on the page. For more information, see Filtering Inventory Pages.

To rearrange the columns in the list, click and drag the column name to a new location. You can adjust the width of a column by clicking and dragging the right edge of the column. For more information about editing and adding columns, see Editing the Settings for an Inventory Page.

Filtering the List of Events

This section explains how to filter the list of events so you can quickly locate and address any potential issues in your environment.

Filtering Events by Organization and Service

You can view events from all organizations or services, or filter down to just the organizations or services you want to monitor for events.

To view events by organization or service:

  1. On the Events page, click the View menu.

  2. Select the Group by organization and/or the Group by business service toggle. The relevant panel appears on the left with a list of events sorted by severity for each organization and/or service:

    The Events page grouped by organization

    To hide the Organizations and Business Services panels, click the left arrow icon (). Click the right arrow icon () to expand the panel again.

  3. On the left panel, click the check mark icon () to filter the list of events based on the organization or service you selected.

    Click the name of a service to go to the Service Investigator page for that service. Click the name of an organization to go the Organizational Summary Page for that organization.

Filtering Events by Severity

The Events page displays a list of currently active events, which can be sorted by any column, such as severity from critical to healthy. You can filter the list of events by severity by clicking one or more of the five colored buttons near the top of the Events page:

The Events page and the five severity filters

When you click a severity button, the list displays only events with the severity you selected. The severity button you clicked remains in color, while the other buttons turn gray.

To clear a severity filter, click the View All link next to the severity buttons.

The following color codes are used throughout SL1:

  • Red elements have a status of Critical. Critical conditions are those that can seriously impair or curtail service and require immediate attention (such as service or system outages).
  • Orange elements have a status of Major. Major conditions indicate a condition that is service impacting and requires immediate investigation.
  • Yellow elements have a status of Minor. Minor conditions dictate a condition that does not currently impair service, but needs to be corrected before it becomes more severe.
  • Blue elements have a status of Notice. Notice conditions indicate a condition that users should be aware of, but the condition does not affect service.
  • Green elements have a status of Healthy. Healthy conditions indicate that a device or service is operating under normal conditions. Frequently, a healthy condition occurs after a problem has been fixed.

Filtering for Masked Events

When a device uses the event mask setting, events that occur on a single device within a specified span of time are grouped together, and only the event with the highest severity is displayed on the Events page. This allows related events that occur in quick succession on a single device to be rolled-up and posted together under one event description. For example, if a device cannot connect to the network, multiple other services on the device will raise events. SL1 would display the event with the highest severity and roll up all the other events.

On the Events page, any event that contains masked events includes a magnifying glass icon () and the word "Masked" in the Masked Events column:

The Events page with a masked event highlighted

Click the Grid Settings button to add the Masked Events column, if it is not currently visible.

To view more information about masked events:

  1. On the Events page, click the magnifying glass icon () or the Masked link in the Masked Events column for the relevant event. The Event Investigator page for that event appears.
  1. Scroll down to the Masked events section to view the details about the masked events:

The Masked events section in the Events page

Viewing Additional Data about an Event

On the Events page and the Devices page, you can click the Expand icon () next to an event or device to open a new Device Summary modal:

The Device Summary window for a device

NOTE: On the Events page, the Device Summary modal displays only for events that are aligned with devices.

The detail window for that device contains the Tools pane, the Vitals graphs, and the Logs pane:

  • The Tools pane enables you to run a set of diagnostic tools or user-initiated actions in the Activity Center, or to click on custom links that will open in a separate browser window. Click the search bar to search for tools, actions, or custom links that are available for the device.
  • The Vitals pane displays graph data for the past four hours of CPU usage, memory usage, and latency for that device, where relevant. You can zoom in on a shorter time frame in the Vitals graph by clicking and dragging, and you can go back to the original time span by clicking the Reset zoom button.
  • The Logs pane displays a list of events associated with that device.

To open the detail or Investigator page for an item, click the link for the item name at the top of the detail window.

Viewing Automation Actions

To view a log of automated actions that have occurred for an event, on the Events page, click the Actions button () for the event and select View Automation Actions. When you do so, the Event Actions Log modal page appears.

You can also view the Event Actions Log modal page by clicking the hyperlink in the Automated Actions column for a particular event on the Events page.

The drop-down menu from the Actions button

The Event Actions Log displays a history of all automation actions that SL1 executed in response to the event.

Each entry in the Event Actions Log modal page includes:

  • The date and time when the action was executed
  • The automation policy that triggered the action
  • The name of the action policy
  • The result of the action

Using the Event Investigator

The Event Investigator page provides details about the event as well as the device associated with the event, where relevant. The Event Investigator page includes sections for Probable Cause & Resolution, Tools, Logs, Notes, Assets, a Vitals widget, and a list of masked events:

The Event Investigator page

To get to the Event Investigator page, click the linked text in the Message column of the Events page, or click the Actions button () for the event and select View Event.

The top pane of the Event Investigator page contains basic event details. From this pane, you can also acknowledge the event, clear the event, or click the Actions button () and select Create Ticket to create a ticket for that event. If an event was acknowledged by another user and you have the relevant permissions, you can click the Reacknowledge button to acknowledge that event.

On the Event Investigator page, click the name of an aligned device or service to go to the Investigator page for that device or service.

The Event Investigator page includes the following sections:

  • Probable Cause & Resolution. Displays additional information about the event, based on the event policy.
  • Tools. A set of network diagnostic tools or user-initiated actions that you can run on the device associated with the event. Click the search bar to search for a tool or action to run, or click one of the default tools or actions that are available based on the device type and your user permissions. This pane is the same as the Tools pane of the Event Drawer. For more information, see the section on Using the Action Runner.
  • Logs. A list of log entries from the device's log, sorted from newest to oldest by default.
  • Note. A text field where you can add new text and edit existing text related to the event and the device associated with the event. For more information, see Viewing and Editing Event Notes.
  • Assets. One or more asset records associated with the device, such as a piece of equipment owned by an organization. The asset record includes contact information for the technician, administrator, and vendor for that device. You can click the name of an asset to view an Asset page for more information.
  • Vitals. A widget that displays the past 24 hours of CPU and memory usage for the device related to the event. You can zoom in on a shorter time frame by clicking and dragging, and you can go back to the original time span by clicking the Reset zoom button.
  • Masked events. A list of all masked events for the device. When a device uses the event mask setting, events that occur on a single device within a specified span of time are grouped together, and only the event with the highest severity is displayed in the Events page. This allows related events that occur in quick succession on a single device to be rolled-up and posted together under one event description.

Using the Action Runner

You can access the Action Runner from either the Events page or the Event Investigator page. The Action Runner enables you to run a set of diagnostic tools or user-initiated actions, or to click on custom links that will open related records in external systems in a separate browser window.

NOTE: The tools and actions that are available in the Action Runner are based on the device type and your user permissions, as determined by your organization assignment and access hooks. For example, if a device does not have an IP address, only the Availability tool will be available.

NOTE: For more information about user-initiated actions, see the section on User-Initiated Automations.

To use the Action Runner:

  1. Access the Action Runner for events in one of the following ways:
  • On the Action Runner page, open the Event Drawer for a particular event. Click the search bar in the Tools pane.
  • On the Action Runner page, click the search bar in the Tools pane.
  • Click the Activity button in the navigation bar at the top of any page in SL1. Click the search bar.
  1. When you click the search bar, a list displays the default tools, actions, or custom links that are available for the selected device. Click one of these tools, actions, or custom links, or use the search bar to search for a tool or action that is not listed. The following default tools are available in the Action Runner:

  • Availability. Displays the results of an availability check of the device, using the port and protocol specified in the Availability Port and Availability Protocol fields on the Settings tab for this device.

  • Ping. Displays statistics returned by the ping tool. The ping tool sends a packet to the device's IP address (the one used by SL1 to communicate with the device) and waits for a reply. SL1 then displays the number of seconds it took to receive a reply from the device and the number of bytes returned from the device. If the device has an IPv6 address, SL1 uses the appropriate IPv6 ping command.

  • Who Is. Displays information about the device's IP, including the organization that registered the IP and contacts within that organization.

  • Port Scan. Displays a list of all open ports on the device at the time of the scan.

  • Deep Port Scan. Displays a list of all open ports and as much detail about each open port as the deep port scanner can retrieve.

  • ARP Lookup. Displays a list of IP addresses for the device and the resolved Ethernet physical address (MAC address) for each IP address.

  • ARP Ping. Displays the results from the ARP Ping tool. The ARP Ping tool is similar in function to ping, but it uses the ARP protocol instead of ICMP. The ARP Ping tool can be used only on the local network.

  • Trace Route. Displays the network route between SL1 and the device. The tool provides details on each hop to the endpoint. If the device has an IPv6 address, SL1 uses the appropriate IPv6 traceroute command.

    The tools found in the Action Runner can also be found in the Device Toolbox in the classic SL1 user interface.

  1. If you clicked a custom link, the link opens in a new browser window or tab. If you clicked on a tool or action, then as it runs, its progress and results appear in a log in the Activity Center.
  2. After the tool or action has run, if you want to run it again, click the Run Again button. This button appears only for activities completed during your current session.

The Activity Center

The left pane of the Activity Center displays a list of devices for which you have most recently used the Action Runner, with the current device at the top of the list. To use the Action Runner for any of the other recently used devices or to view historical logs for the tools or actions that have been run on those devices, click on the device name.

Acknowledging and Clearing Events

When you acknowledge an event, you let other users know that you are aware of that event, and you are working on a response. 

When you clear an event, you let other users know that this event has been addressed. Clearing an event removes a single instance of the event from the Events page. If the event occurs again on the same device, it will reappear in the Events page.

If the same event occurs again on the same device, it will appear in the Events tab, even if you have previously cleared that event.

When you acknowledge a parent event, all masked events under that parent event are also acknowledged.

To acknowledge and clear events:

  1. To acknowledge an event, find the event on the Events page and click the Acknowledge button for that event. Your user name replaces the Acknowledge button for that event:

The Acknowledge button after you acknowledge an event, displaying the username "em7admin"

You can also click the Acknowledge button in a specific event's Investigator page.

  1. To see when an event was acknowledged and who acknowledged it, hover your mouse over an acknowledged field.
  2. If an event was acknowledged by another user and you have the relevant permissions, you can click the Reacknowledge button to acknowledge that event.
  3. To clear an event, click the Clear button. The event is removed from the Events page.

If you want to hide the Acknowledge or Clear buttons on the Events page, click the Select Columns icon (Image of the Choose Columns icon) and deselect those columns.

Viewing and Editing Event Notes

From the Events page, you can access event notes, which contain event definitions, probable causes, and resolutions for the event, along with a text field where you can add more information about the event or the device you are monitoring. If event notes already exist for that event, the opening text of that note appears in the Event Note column of the Events page.

To view or edit an event note:

  1. On the Events page, click the Note icon () for that event.  The Edit Event Note window appears:

    The Edit Event Note window

    You can also edit an event note on the Events page by clicking the Actions button () for that event and selecting Edit Event Note. This is helpful if you have hidden the Event Note column on the Events page.

  1. Type your additional text for the event note and then click Save. The event note is updated.

Viewing the Event Policy

From the Events page, you can view the Event Policy for an event, which allows you to view a description of the policy, enable or disable the policy, and edit policy details.

To view an Event Policy from the Events page:

  1. On the Events page, click the Actions menu () for that event and select View Event Policy. The Event Policy Editor page appears for that event:

    The Edit Event Note window

  1. Click the Edit button to edit the Event Policy. For more information, see Defining and Editing Event Policies.

Suppressing and Unsuppressing an Event for a Device

When you suppress an event, you are specifying that in the future, if this event occurs again on the same device, the event will not appear in the Events page or the Events tab for a device.

If a suppressed event occurs on a different device, it will appear in the Events page and on the Events tab for that different device.

When you suppress an event, the current instance of the event still appears in the Events. To remove the current instance from the event console, clear the event (see the section Clearing One or More Events).

NOTE: To suppress an event, accounts of type "user" must be granted one or more access keys that include the following access hooks: Events/Event:View and Event:Clear. Accounts of type "user" will then be able to view and suppress events that belong to the same organization(s) as the user. For more information on access hooks, see the section on Access Permissions.

Suppressing an Event

To suppress an event:

  • Go to the Events page.
  • Click the Actions button () for the event you want to suppress and select Suppress Event for this Device. In the future, if this event occurs again on the same device, the event will not appear in the Events page.

NOTE: Users of type "user" can view only suppressed events that are aligned with the same organization(s) to which the user is aligned. Users of type "administrator" can view all suppressed events.

Suppressing an Event on Multiple Devices

When you suppress an event on multiple devices, you are specifying that, in the future, if this event occurs again on any of those devices, the event will not appear in the Events page or in the Viewing Events page for any of those devices.

To suppress an event on multiple devices:

  1. Go to Event Policies page (Events > Event Policies).
  2. In the Event Policies page, select the Actions menu () of the event policy you want to edit and select Edit.
  3. The selected event policy is displayed in the Event Policy Editor page, where you can edit one or more properties of the event policy.
  1. Click the Suppression tab.
  2. On the Suppression tab, you can select the devices or device groups on which to suppress the event. To do so:
  • Click Select Devices to select one or more devices on which to suppress the event. When you click Select Devices, the Available Devices modal page appears. Select the checkboxes of the devices you want to add to the suppression list, and then click Select.
  • Click Select Device Groups to select one or more device groups on which to suppress the event. When you click Select Device Groups, the Available Device Groups modal page appears. Select the checkboxes of the device groups you want to add to the suppression list, and then click Select.
  1. Click Save.

Unsuppressing an Event

On the Event Suppression List page (Events > Suppressions), you can view a list of all suppressed events in SL1 and choose to unsuppress one or more of those events. When you unsuppress an event, if this event occurs again on the same device, the event will appear in the Events page.

NOTE: To unsuppress an event, accounts of type "user" must be granted one or more access keys that include the following access hooks: Registry, Registry>Events>Suppressions, and Event:Suppressions. Accounts of type "user" will then be able to view a list of suppressed events that belong to the same organization as the user. Accounts of type "user" will also be able to unsuppress one or more of these suppressed events. For more information on access hooks, see the section on Access Permissions.

To unsuppress an event:

  1. Go to the Event Suppression List page (Events > Suppressions).
  2. Select the checkbox for each event you want to unsuppress.
  3. In the Select Action drop-down menu, in the lower right, select DELETE Suppression.
  4. Click Go. In the future, if the unsuppressed event occurs again on the same device, the event will appear in the Events page.

Unsuppressing All Instances of an Event

You can simultaneously unsuppress all instances of an event. That is, if a single event has been suppressed for multiple devices, you can unsuppress the event on all devices. In the future, if the unsupressed event occurs again on any device, the event will appear in the Events page.

NOTE: To unsuppress an event on all devices, accounts of type "user" must be granted one or more access keys that include the following access hooks: Registry, Registry>Events>Event Manager, and Event:Add/Rem. Accounts of type "user" will then be able to access the Event Policies page and unsuppress one or more events on all devices. For more information on access hooks, see the section on Access Permissions.

To unsuppress an event on all devices:

  1. Go to the Event Policies page (Events > Event Policies).
  2. Select the checkbox for the event you want to unsuppress on all devices.
  3. Click Clear Suppressions. In the future, if the unsuppressed event occurs again on any device, it will appear in the Events page or in the Viewing Events page for the device.

Enabling and Disabling Events

You can simultaneously disable one or more events on all devices. When an event is disabled, it will no longer appear in the Events page for any devices. You can also enable an event that has been disabled.

NOTE: To disable or enable an event on all devices, accounts of type "user" must be granted one or more access keys that include the following access hooks: Registry, Registry>Events>Event Manager, and Event:Add/Rem. Accounts of type "user" will then be able to access the Event Policies page and enable one or more events on all devices. For more information on access hooks, see the section on Access Permissions.

Disabling Events

To disable one or more events:

  1. Go to the Event Policies page (Events > Event Policies).
  2. Select the checkboxes for the events you want to disable.
  3. Click Disable. The selected events will no longer appear in SL1 for any device, application, or policy.

Enabling Events

To enable one or more events:

  1. Go to the Event Policies page (Events > Event Policies).
  2. Select the checkboxes for the events you want to enable.
  3. Click Enable. The selected event(s) will once again appear in SL1.

Event Throttling

When SL1 detects syslog messages or traps coming from a single device at a rate greater than 25 messages per second, SL1 throttles the messages.

When SL1 throttles messages from a single IP address, those messages are deleted from the ScienceLogic database. The messages are not passed to the event engine, are not logged, and are not processed as events.

When SL1 throttles messages, SL1 also triggers events:

  • Event with a Severity of Critical and the message "Inbound Message Flood". This event is triggered when a single IP exceeds the threshold of syslog messages or trap messages at least once per minute for the last ten minutes. The default threshold is 25 messages per second.
  • Event with a Severity of Notice and the message "Inbound Message Spikes". This event is triggered when a single IP exceeds the threshold of syslog messages or trap message. The default threshold is 25 messages per second.

Message throttling is enabled by default. To disable message throttling, contact ScienceLogic Customer Support.

To adjust the threshold for message throttling, contact ScienceLogic Customer Support.

To whitelist an IP address so that message throttling does not apply to that IP, contact ScienceLogic Customer Support.

NOTE: SL1 does not support message throttling on IPv6 devices monitored by CentOS5 Data Collectors.