Troubleshoot: Device Monitoring and Alerting Issues

I created a software addition/removal rule but I don’t see any alerts.

Cause

The Value field in Software Addition or Removal rules only supports letters (a-z, A-Z), numbers (0-9), spaces, underscores (_), hyphens (-), or periods (.). If you have added any invalid characters in the Value field, the rule might become invalid and not work.

Solution

We have added a validation to prevent users from saving a rule if an invalid character is present in the Value field. For rules containing invalid characters created prior to January 17th, 2025, no alerts will be triggered. You can either update the existing rule or create a new one instead.

Cause:

For rules that are associated with a large number of devices (exceeding 1000), when Existing Conditions are enabled, there may be a delay of up to 15 minutes in alert generation. This typically occurs when the total number of existing conditions (for which alerts need to be generated) exceeds 1,000.

Solution: You can create multiple rules with different conditions and associate different device groups to help keep the total number of alerts for existing conditions below 1,000.

The option to enable/disable rules from the Rules dashboard is currently not functioning as expected for the following rules:

• Command Execution Failure
• Managed Software Installation Failure
• Policy Application Failure

Cause:

If a command, policy, or software being used in the conditions section of a rule is removed from the system, you will be unable to enable or disable the rule from the Rules dashboard. 

Solution: Go to the rule details page, and use the Enable/Disable toggle button.

Admin setup a Server Offline rule to monitor the server status, and is seeing several duplicate alerts on the Alerts dashboard.

Cause

A technical issue with the Device Offline Monitoring rule has caused a high volume of duplicate alerts for users who had this rule enabled prior to November 29th, 2024.

Resolution

The issue is now resolved as follows:

• Admins will no longer receive several duplicate alerts for devices that are offline. Instead, the rule will generate one alert per offline device as expected.
• All previously generated duplicate alerts will be automatically deleted.
• Auto-resolution will work as expected and alerts will be auto-resolved when the device comes online.

Users who had this rule enabled before November 29th may still see duplicate alerts (one extra alert per device) for certain offline devices that had already generated an alert. If you see duplicate alerts, delete them by following these steps:

1. Go to the Alerts dashboard. See Get Started: Device Monitoring and Alerting to learn more.
2. On the Alerts dashboard, apply a search filter using the exact name of the rule that triggered the alerts ( such as Server Offline 14 Days).
3. Select all duplicate alerts.
4. Click the Actions dropdown and select Delete.

The Software Removal rule is incorrectly triggering alerts during software updates, which are resolved shortly after being created.

Cause

In some cases, System Insights incorrectly reports software updates as a removal followed by an addition, resulting in software_remove and software_add events in Directory Insights, which in turn generates the false alerts.

Solution

No workaround is available for this issue at the moment. We are actively working on a fix to resolve it.