Creating Service Monitor Rules

The Service Monitor ensures that critical services, such as Anti-Virus software, are running on the selected device.

A useful feature of this is that it automatically allows control of the service dependent on the result of the alert. For example, if the monitor detects that the Anti-Virus software has stopped running, the monitor can automatically restart the service without the need for any interaction.

Service Monitor also allows Services that should be excluded from the check criteria to be specified. The ‘Excluded Services’ parameter is shown at the bottom of the Criteria dialog and supports wildcards. Any services entered into this parameter are omitted from the rule criteria. This can be used to prevent a generic service monitor from creating an alert for services that auto start but then stop immediately.

When setting the Control Service action for a service monitor, it is possible to use the service from the criteria (i.e. if a service has stopped, this is the service required to start) or use another of the listed services to perform the required action.

NOTE: Code in the Services Monitor checks the version of Windows that is running. For Windows 8 and Server 2012 upwards, service status is shown as ‘Running’. For all other Windows versions, the service status is shown as ‘Started’.

Service Monitor Rule specific criteria fields

When adding rule criteria the following pages and fields are specific are specific to the Service Monitor.

Service Selection section

The fields in this section are used to specify the service to be controlled by this rule.

Display Name

Use the drop down menu to select the service to be controlled by this rule. Any generic service can be started (or stopped) by over-typing the service from within the Display Name field and using ‘*’ as a wildcard. For example, typing ‘HAL*’ would perform the specified action on any service beginning with the characters HAL.

Service Parameters section

The fields in this section determine the control parameters of the service.

Status

Use the comparator of equal (or not equal) with the required status type which can be selected from the drop-down menu to determine the service to be selected (or omitted). The possible options are:

  • Any Status
  • Stopped
  • Start Pending
  • Stop Pending
  • Renaming
  • Continue Pending
  • Pause Pending
  • Paused
Startup

Use the comparator of equal (or not equal) with the required startup option which can be selected from the drop-down menu to determine the service to be selected (or omitted). The possible options are: 

  • Any Startup Type
  • Automatic
  • Automatic (Delayed Start)
  • Boot
  • Manual
  • System
  • Disabled
Logon Account

Use the comparator of equal (or not equal) with the required Logon Account which can be selected from the drop-down menu to determine the service to be selected (or omitted). The possible options are: 

  • Any Logon Account
  • Local System
  • Local Service
  • Network Service
Excluded Services

Use this field to determine any services to be excluded from this rule.

Add

Click Add to open the Add Item dialog where services can be added to the exclusion list.

Edit

Highlight an existing selection and click Edit to change the service name.

Delete

Highlight an existing selection and click Delete and confirm the action to remove the service from the exclusion list.

Using the Service Browse Utility

When adding criteria for Service monitor rules, click Browse to view a list of services that are currently running on the device being monitored.

Refresh

Click Refresh to update this display with any services that may been started or stopped since the Browse option was taken.

Properties

Select a service from the display and click Properties to open the Service Properties dialog which displays all of the characteristics of the service.

Select

Select a service from the display and click Select to automatically populates the corresponding criteria detail fields on the criteria page.

Exclude

Select a service from this display and click Exclude to automatically exclude this service from this rule.

Criteria Alert Details section

Fields in this section define alert settings that override the settings made on the Alert page at Rule level. This provides a more criteria specific alert message to be generated.

Override Rule Default

Click Override Rule Default to specify that the entries on this page override the default Alert page settings at Rule level. From the drop-down menu, select the alert warning level.

Alert Text

Enter the actual text of the alert or use the available Substitution Variables to construct the message text of the alert.

TIP: When Substitution Variables are used, click to display a list of textual and numeric parameters that can be used to amend the actual Substitution Variable value.
Alert Example

Displays an example of how the Alert Text will read using the selected Substitution Variables and user-entered text.

SLA Statistic section

Fields in this section are used to indicate that the criteria for this rule are used to determine performance against Service Level Agreements (SLA).

SLA Statistic

Click the SLA Statistic field so that it is enabled. The SLA flag is measured against the specific criteria defined for this rule.

TIP: If multiple SLA flags are being set for different criteria and/or monitors, we recommend that a Send Enterprise Console alert action is created to determine which of the SLA criteria has failed.
NOTE: SLA Statistic checking is not affected by the suspension of the rule, (SLA data is still gathered even if the rule is suspended) but is dependent on the time period when the rule is active (SLA data is not gathered outside the times when the rule is active).

 

We recommend that when creating SLA flags within rules, that all SLA criteria are kept together in the same rule that use the ‘Perform Actions For Each Criteria That Triggers option, otherwise SLA failures may or may not be indicated correctly.

 

System performance against the specified SLA flags can then be viewed on the SLA Statistics report (automatically included as a Report Template within Advanced Reporting Suite) for this system.

Auto-Close Options section

These fields determine if the auto-closing of Enterprise Console Alerts is required and if so, the delay invoked before the auto-close becomes effective.

Auto-Close Enterprise Console Alerts

Click this option to automatically close any alerts sent to the Enterprise Console by this rule. When the rule is checked, if the criteria selection would not currently result in an alert and there are previously raised outstanding alerts in existence, the existing alerts are closed either immediately or after the specified Delay By period if the criteria is still not triggering.

EXAMPLE:  

• A CPU rule has criteria to alert if the CPU % Processor Time is above 75%.

• It also has Auto-Close specified to Auto-Close Enterprise Console Alerts with a Delay period of 5 minutes.

 

The rule criteria is checked and triggers as the CPU is above 75%. An alert is sent to the Enterprise Console. At the next check interval, including any time for which the rule is suspended, the rule criteria is checked again and the CPU is below the required threshold. As the criteria has auto-close specified, the outstanding alert is tagged to be automatically closed five minutes later.

 

The rule criteria continues to be checked and if the CPU does not cause any further triggers, the existing alert is closed at the tagged auto-close time.

Delay By

If the Auto-Close Enterprise Console Alerts option is enabled, specify the delay time period after which the alert is automatically closed providing the criteria has not triggered again in the next check interval. The time period can be specified in Minutes, Hours or Days.

Creating an example Service Monitor Rule

This Service Monitor rule checks anti-virus software and restarts it if it has stopped.

  1. From the Systems panel of the Central Configuration Manager, select the System to which the monitor rule is applied and expand the view so that the monitors are displayed.
  2. Select the Service Monitor and click Add Rule to display the Add Rule Detail dialog.
  3. Enter a Description of ‘Check and Restart Anti-Virus’. Leave other fields on this page as the default settings.
  4. Select the Criteria tab in the left navigation pane of the Add Rule Detail dialog and click Add Criteria.
  5. Either select the anti-virus service from the Display Name choice menu or click Browse, highlight the anti-virus service from those services listed and click Select. The Service Name, Status and Startup Type fields on the Criteria dialog are automatically populated.
  6. In the Service Thresholds section of the Criteria dialog, set the Status operator to ‘=’ and the value as ‘Stopped’.
  7. In the left navigation pane of the Criteria page, click Alert.
  8. Enable the Override Rule Default option and change the Alert Text to ‘Anti-Virus software service had stopped. Automatically restarted by Halcyon NSS’. Click OK.
  9. Select the Actions tab in the left navigation pane of the Add Rule Detail dialog and click Add Action.
  10. Select the Send Enterprise Console Alert action. Click OK to open the Console Action dialog. Leave the fields as their default settings and click OK.
  11. On the Add Rule Detail dialog, click OK to create the rule, which is then displayed in the System Rule panel for the Service monitor.
  12. From the Central Configuration Manager menu ribbon, click Save. The rule is now active within the monitor.

Related Topics