Maybe someone from the forum can help me out on this one. Thanks in advance for any responses.
I want to move completely to policy management but here is one scenario I can't figure out.
I have custom scripts that identify backup software which is populated in a custom field. I then apply event log settings based on this view. One of the event log setting is to alert if I haven't seen a failed or completed backup in the last 30 hours. Policy management seems to do its job when a machine is in compliance with this view. Applies the event log settings and good to go. However, if my backup check script runs and that backup software is removed (removed from custom field), it leaves the view.
If this was a reactive event log, it wouldn't be a problem since it just wouldn't see the event id. But because this is an exception event log setting it throws an alert because obviously it hasn't seen a completed or failed backup because that software is no longer running. Support is saying I would have to go through and find any of these machines that have dropped out of the view and remove the event log.
Any one else have any ideas on how to accomplish this without manual intervention?
Thanks.