After a few months of observing a few issues (one being resolved by a new patch, thanks jclarke) with email alerting, I've narrowed the final issue down.
Each time I have re-init'd DFM for various troubleshooting reasons, DFM will resume emailing alerts. I have informational and Critical, Actice and Cleared events enabled.
What's happening is... I'm getting both email alerts for Active then Cleared. But... the Cleared emails have Active in the Status and Critical in the Severity. The data contained is correct though:
EVENT ID = 00001CO
ALERT ID = 00000RT
TIME = Wed 16-Apr-2008 14:18:15 MST
STATUS = Active
SEVERITY = Critical
MANAGED OBJECT = xxx.xxx.xxx.xxx
MANAGED OBJECT TYPE = Routers
EVENT DESCRIPTION = HighUtilization::Component=IF-xxx.xxx.xxx.xxx/1 [Se0/0] [xxx.xxx.xxx.xxx];OutputPacketRate=133.41908 PPS;Type=PROPPOINTTOPOINTSERIAL;CurrentUtilization=30.89455 %;InputPacketRate=153.18257 PPS;TrafficRate=59626.48 BYPS;UtilizationThreshold=80;DuplexMode=FULLDUPLEX;MaxSpeed=1544000;
CUSTOMER IDENTIFICATION =
This occurs on some switches and some routers but not all. It seems to change each time I've re-initialized DFM but its never %100 correct on the Cleared events. DFM fault logs show all these events as cleared, which is correct, something between DFM and email formatting? Anyone see this before?