VMware Cloud Community
LSchultheis
Enthusiast
Enthusiast
Jump to solution

Email Alerts not being sent

I have an Active Directory alert set to send on any match of event 4740(account lockout). However, sometimes these alerts are not being sent when the event is triggered. I can't seem to find a pattern or reason why they're not being sent.

I also noticed my Live Storage is at 89GBs used out of 93GBs. Is this normal?

Anyone else seeing this issue?

Thanks in advance!

Labels (2)
Reply
0 Kudos
1 Solution

Accepted Solutions
sflanders
Commander
Commander
Jump to solution

Perfect - so the IA screenshot shows an event from 4/6, which I assume did not trigger? Does that mean you have not received an alert about account lockouts since 3/30? If so, can you please restart the Log Insight service and simulate an account lockout to see if the issue is resolved?

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===

View solution in original post

Reply
0 Kudos
9 Replies
sflanders
Commander
Commander
Jump to solution

Having live storage being close to full is normal as Log Insight keeps logs for as long as possible -- based on disk space -- and then deletes them in a FIFO model.

I suspect your alert issue has to do with the threshold you have configured for the alert. Let me know if this post answers your question: Log Insight Alerts : User Alerts + Thresholds - SFlanders.net

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===
Reply
0 Kudos
LSchultheis
Enthusiast
Enthusiast
Jump to solution

Thanks for the reply.

I have this alert set to "On any match". It seems to send the alert in most instances. However, I have found times where I log in to check things out and there's a user locked out but the alert was never sent. When I send a test email from log insight it goes through just fine.

Thanks for clarifying the storage question as well.

Reply
0 Kudos
sflanders
Commander
Commander
Jump to solution

Well, if alerts are failing then you would see an error in /storage/var/loginsight/runtime.log. Typically this would mean a problem with the SMTP server you have specified or a network issue (could also be DNS related). Note that all triggered alerts are stored in /storage/var/loginsight/alerts.log so you can see what has matched to date. I hope this helps!

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===
Reply
0 Kudos
LSchultheis
Enthusiast
Enthusiast
Jump to solution

I just noticed it happened again. An account was locked out but I didn't receive an email from Log Insight. The dashboard and interactive analysis show the event and when it occurred. However, when I check out the alert.log file, it hasn't been updated since 3-30-15. I'm assuming this is the reason the emails are not being sent. Any ideas why the alert would not get put in this log if it was triggered? Should I try deleting the alert.log file?

Thanks for the help.

Reply
0 Kudos
sflanders
Commander
Commander
Jump to solution

Well that confirm that the alert did NOT trigger. Only if it triggered would it be written to the log file. Can you go to manage alerts, edit the alert and attach a screen shot? Can you then select edit query and take a screen shot of IA? It would appear the query is not matching for some reason.

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===
Reply
0 Kudos
LSchultheis
Enthusiast
Enthusiast
Jump to solution

Please find the attached screenshots. I removed the email address before I took the first screenshot for obvious reasons.

Reply
0 Kudos
sflanders
Commander
Commander
Jump to solution

Perfect - so the IA screenshot shows an event from 4/6, which I assume did not trigger? Does that mean you have not received an alert about account lockouts since 3/30? If so, can you please restart the Log Insight service and simulate an account lockout to see if the issue is resolved?

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===
Reply
0 Kudos
LSchultheis
Enthusiast
Enthusiast
Jump to solution

The reboot seemed to fix the issue. Alerts are now being sent. However, this has fixed it in the past but it seems to be a reoccurring problem. I will just plan on rebooting this every few weeks. Thanks again for all the help!

Reply
0 Kudos
sflanders
Commander
Commander
Jump to solution

Excellent -- based on the description it sounded like some alerts worked and some did not without reason. If the issue is alerts stop working for a period of time then there is a known bug in LI 2.5 where this can occur and the workaround is to restart LI. You can also sign up at https://loginsight.vmware.com to get TP releases that address bugs such as this.

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===
Reply
0 Kudos