Configuring alert rulesets

The Alerting page (Tools > Configuration > Agent settings > Alerting) displays all the alert rulesets that you can deploy to managed devices. There are three rulesets that appear by default, and you can create custom rulesets to apply specific types of monitoring to different kinds of devices.

The alert rulesets that appear by default on the Alerting page are:

  • Core alert ruleset: This ruleset ensures that alerts originating on the core server are handled. This ruleset is installed on the core server but can't be installed on other devices, and you can only have one core alert ruleset. You can edit the ruleset but can't delete it from the core server. This ruleset contains a predefined group of alert types, including Device Monitor, Intel vPro alerts, and Serial Over LAN Session alert types.

  • LDMS default ruleset: This ruleset can be deployed to all Ivanti managed devices. It includes alerts for security features included in Endpoint Manager, such as real-time inventory and monitoring, network access control, inventory scanner, and Security and Patch Manager alerts.

  • Provisioning ruleset: This ruleset contains alerts related to provisioning tasks, such as task begin and end, section completed, and wrong OS pre-boot environment. When a device is provisioned, this ruleset is used to send alerts related to the progress of the provisioning task. The ruleset is included in the provisioning agent and does not need to be manually deployed. You can edit this ruleset to change the actions associated with the provisioning alerts (for example, to be notified by e-mail when a provisioning task is complete).

In addition to these rulesets you can create custom rulesets and apply them to groups of managed devices. You can deploy rulesets by scheduling a deployment task, or you can include rulesets when you deploy agents to devices using agent configuration. While the default rulesets are available to be deployed with agents, you can choose not to deploy the rulesets when you define the agent configuration.

Conflicts between rulesets

When you create a custom ruleset for a device, be aware that if a default ruleset has already been deployed to the device you may have overlapping or conflicting alerting rules. If you deploy the default ruleset when you configure the managed device, and then deploy a custom ruleset, both rulesets will be executed on the device.

For example, if both rulesets generate alerts for the same alert type but take different actions, you may have duplicate or unpredictable alert actions as a result.

Default log action

Every time you create an alert rule, it automatically is assigned the "Log handler configuration" action. This happens so that every alert is always logged at the core server.

Process for configuring a ruleset

Rulesets contain a collection of associated alerts, actions, and time filters. As you configure a ruleset, you'll define multiple action tasks and time filters that can be reused.

Click here for an example of how to configure a ruleset.