Monday, November 21, 2011

Reducing Alerts for better Signal-to-Noise in RemoteManagement

So, you've deployed your agents. You've configured your reports. You've even got the after-hours alerts routed to a special address. Your system is in place to keep you informed of every little thing that happens. So why are you weeding through alerts you don't care about to get to the information you need? How do you get the alerts adjusted to a level that works for you?

Luckily, there are a few common issues and fixes that should get rid of the bulk of your unwanted alerts, all centering around a central point:

GFI MAX RemoteManagement simply reports the news; it is up to you, however, to decide what exactly should be considered newsworthy
With that in mind, let's take a quick look at the common reasons for unwanted alerts:

  1. Alert triggers are too sensitive across the board. You can probably remove the bulk of your alerts by going to Settings > Alert Settings in the dashboard and changing your settings to the following:

    This puts an emphasis more on trends than spikes for performance monitoring (you can read more about how to tweak performance monitoring on another post on this site), and making the Antivirus only alert you when more than a day or 2 out of date will keep you from getting alerts for your definitions just being a few hours older than the current release
  2. Check settings do not reflect the system in question. Again, Performance Monitoring is a big cause of these alerts, and can be solved. Other possible items include the Hacker Check or Drive space check - simply edit the check to reflect what works for that particular system.
  3. The check, as configured, is destined to fail. Did you just configure a check to let you know if any critical event happens during the day? Well, they're going to happen, and rather regularly. Another check of this kind is the Vulnerability Check. Your best course of action for these checks are:
    1. Elect not to receive alerts for the checks in question. When you visit the dashboard, it will still show as a red "x", but you will not get alerts in your mailbox or phone

    2. When possible, elect to have these checks run in "Report mode" (will show as an option when available by editing the check). This will allow you to continue collecting the data, view it by reports, and have the check show green in the dashboard
  4. The Check is simply unnecessary. Do you really need to know how the Fax Service is doing on your workstation? Go on and delete it from the dashboard and concentrate on the things that do matter.
This is by no means a complete list, but if you apply these concepts, you should see a significant change in the alerts you receive.


  1. Excellent article Chris! My techs are suffering from a small case of "the alerts that cried wolf". I've used your tips here to hopefully quieten down the alerts before my techs get totally immune to them. I think it's esy for the alerts to become like car alarms in a crowded parking lot; who pays any attention to those?! So, again, thanks for the helpful tips.

  2. Glad you found it useful!

    We hope to keep these coming, so let us know if there is a specific subject you would like addressed.

  3. The problem is that systems (especially in SMB environments) wear different hats during different times of the day. What may be an alert you NEED to respond to during the middle of the day, would be one that would be a normal occurrence during night-time processing.
    So the current choice is either ignore the errors at night and hope to catch it on the screen during the day (if you are by your screen), or live with the flood of nightly alerts.
    I don't much like either choice.

    1. That could be handled with a combination of Alert Routing Settings (Office Hours and not) along with filtering in your mail system.

      For instance, I turn on SMS alerting on the check, but don't have an SMS # in my Alert Routing during business hours. I could go a step further and filter email when it hits my mail server/mail client.

      But - we're also changing the alerts (specifically performance-related) in the near future to address this anyway. Stay tuned...