How do I create Alerts in KAV 1.2?
KAV 1.2 Alerts
Support for alerts has been added to KAV 1.2. KAV alerts use event log monitoring in the Monitoring module. All KAV alerts are written to a managed machine’s “Application” event log as “Error” or “Warning” or “Information” events.
To permit the alerts to be raised, the machine must have its Event Log Settings configured appropriately. To do this, go to the Agent->Event Log Settings function, ensure the “Application” Event Log Type is listed in the Assigned Event Logs, and ensure that the “Error”, “Warning”, and “Information” Event Categories are selected. Assign this configuration to each machine. This enables the collection of the required Application event log data used by the alert processing.
KAV alert configuration is accomplished in the Monitoring module. In VSA 6.1, go to the Monitoring->Alerts function and select the “Event Logs” Alert function for the “Application” event log type. In VSA 6.2, go to the Monitoring->Event Log Alerts and select the “Application” event log type. Refer to the page’s help for details on how to configure alerts.
The following event sets have been predefined for KAV alerts:
- ZC-KAV-CL1-W Client Install Reboot Required
- ZC-KAV-DF0-EWI Definitions
- ZC-KAV-DF1-W Definitions Not Updated in 2 Days
- ZC-KAV-DF2-E Definition Update Failed
- ZC-KAV-FS0-EWI Full Scans
- ZC-KAV-FS1-I Full Scan Started
- ZC-KAV-FS2-I Full Scan Completed
- ZC-KAV-FS3-E Full Scan Failed to Complete
- ZC-KAV-QS0-EWI Quick Scans
- ZC-KAV-QS1-I Quick Scan Started
- ZC-KAV-QS2-I Quick Scan Completed
- ZC-KAV-QS3-E Quick Scan Failed to Complete
- ZC-KAV-TH0-EWI Threats
- ZC-KAV-TH1-W Threat Detected
- ZC-KAV-TH2-I Threat Remediated
The “ZC-KAV” prefix indicates that these event sets are sample KAV event sets. Sample event sets can be used directly or they can be used as examples for building your own KAV alert event sets. The next segment following “ZC-KAV” indicates the type of alert. The following are the KAV alert types:
- CLx – Client related alerts
- DFx – Anti-Virus Definition related alerts
- FSx – Anti-Virus Full Scan related alerts
- QSx – Anti-Virus Quick Scan related alerts
- THx – Anti-Virus Threat related alerts
If the number following the alert type designator is zero (“0”), the event set is a “rollup” of related alerts. Any number other than zero (“0”) indicates the event set is a single individual alert. The letters following the alert type segment indicate the event category/categories of the included alerts where:
- E = Error
- W = Warning
- I = Information
When configuring the KAV alerts, ensure all three of the “Error”, “Warning”, and “Information” event categories are selected.
Also, for “rollup” event sets (ZC-KAV-DF0, ZC-KAV-FS0, ZC-KAV-QS0, or ZC-KAV-TH0), be sure to set the Re-Arm duration (“Ignore additional alarms for”) to a low threshold (e.g., 1 minute). This is necessary for these “rollup” alerts because only one alert will be raised during the Re-Arm time frame. For example, if you select the “ZC-KAV-QS0-EWI Quick Scans” event set, alerts for Quick Scan started and Quick Scan completed or Quick Scan failed to complete will be raised. If the Re-Arm time is set to 1 hour and the Quick Scan starts and successfully completes in less than an hour, only the Quick Scan start alert will be raised. By setting the Re-Arm duration to 1 minute, you will get the Quick Scan start alert and the Quick Scan complete alert.
KAV 1.2, VSA 6.2