Reference: Event Rules

Use event rules to specify the heuristic parameters for which the targeted endpoints report performance events.

You can configure these event rules:

Profiles and the event rules that they contain do not determine what data is collected on endpoints. The same data is monitored on all endpoints that a profile targets. Profiles determine which conditions on the endpoint generate a negative performance event.

After you add an event rule to a profile, select and configure the heuristics that you want to monitor.

Application Crashes

You can monitor this event rule only on Windows endpoints.

This event rule monitors the Windows Event Log for targeted endpoints. An event occurs if an application crashes.

Available Memory

You can monitor this event rule on Windows, macOS, and Linux endpoints.

You can create event rules for available memory by MB, percentage of total memory, or both.

Available Memory is a measurement of the amount of memory available to be immediately allocated to programs. Paging occurs when an endpoint runs low on available memory, which puts a load on disks and might result in workstation slowdowns or hangs. Monitor available memory to detect when programs might not have enough available memory to run without paging.

In the Duration field, specify the amount of time that the specified conditions must be present to trigger a performance event.

If you choose to monitor available memory by both MB and percentage of total memory, an event occurs if either metric meets the specified condition for the specified duration.

CPU Critical

The CPU Critical event rule contains three heuristics:

  1. CPU Utilization and Kernel Time monitoring is supported Windows, macOS, and Linux endpoints. With this heuristic, you can monitor:
    • CPU Utilization: Monitor CPU utilization to detect CPU contention.
    • Kernel Time: Monitor kernel time to detect when the CPU is spending too much time on kernel mode operations.

      CPUs operate in two modes: kernel mode and user mode. Kernel mode is typically used for core operating system functions, I/O, and filter driver operations. If the CPU on an endpoint spends the majority of time on kernel mode operations, little CPU time is available for user mode operations, which might cause a negative performance condition.

    • If you configure an event rule for CPU Utilization and Kernel Time, the CPU Utilization and Kernel Time for targeted endpoints are monitored for the specified thresholds. A performance event occurs if the CPU utilization and kernel time are greater than the percentages that you configure in the event rule (both conditions must be met for an event to occur).

  2. DPC time monitoring is supported only for Windows endpoints.

    If you configure an event rule for DPC time, processor DPC for targeted endpoints is monitored. Specify the highest DPC time that is allowed on an endpoint before a performance event occurs. An unusually high amount of time spent on deferred procedure calls on an endpoint could indicate a processor bottleneck or driver problem.

  3. Load Average monitoring is supported only for macOS and Linux endpoints.

    If you configure an event rule for Load Average, the load average for targeted endpoints is monitored. Specify the load average that is allowed on an endpoint before a performance event occurs.

    The load average is an exponential average of the number of processes in a running or waiting state. This metric is a standard UNIX method for detecting CPU contention. This rule monitors the 15 minute load average for the CPU. If the load average is equal to the number of cores on an endpoint, the CPU usage is at its maximum capacity.

In the Duration field, specify the amount of time that the specified conditions must be present to trigger a performance event.

Disk Capacity

You can monitor this event rule on Windows, macOS, and Linux endpoints.

You can create an event rule for free disk space by MB, percentage of total disk capacity, or both.

Disk capacity is a measurement of the free space on the disk. When disks run low on space, fragmentation increases. Fragmented disks contribute to slow response times.

If you choose to monitor free disk space by both MB and percentage of total disk capacity, an event occurs if either metric meets the specified conditions.

Disk Latency

You can monitor this event rule on Windows, macOS, and Linux endpoints.

You can create event rules for Read Latency, Write Latency, or both.

Disk latency is a measurement of the average amount of time that a disk operation (read or write) takes to complete. Acceptable values vary by drive.

In the Duration field, specify the amount of time that the specified conditions must be present to trigger a performance event.

If you choose to monitor both Read Latency and Write Latency, a performance event occurs if either metric meets the specified condition for the specified duration.

System Crashes

You can monitor this event rule only on Windows endpoints.

This event rule monitors the Windows System and Event Logs for targeted endpoints. An event occurs if the system crashes.