Use this Knowledge Script to monitor the Windows Event Log for Active Directory entries associated with the NetLogon service. You can configure this script to scan the log only for entries that match a set of filtering criteria.
This script does not fully rescan the event log each time it runs. All event-log entries that match the filtering criteria are returned in the event or data point detail message.
You can restrict the types of log entries that generate an event by using the Filtering parameters:
Use the Event Type parameters to search only certain types of events, such as Warning events.
Use the Other parameters to search only for specific information, such as events associated with a specific user or computer name.
NOTE:Only the most recent batch of events can be viewed in the data point detail message. For example, assume you set this script to scan all previous entries in the event log and list ten matching entries in each event detail message. When the script runs, 30 entries are found that match your filtering criteria. In this case, the script would create three child events for the interval.
Each child event would have ten entries: the oldest matching entries in one child event batch, the second oldest in a second batch, and the most recent in a third batch.
If this same job is collecting data and you view the detail message for the interval, only the entries from the third child event (Batch 3) are displayed.
Active Directory domain controller
The default interval for this script is Every 15 minutes.
Set the following parameters as needed:
Description |
How to Set It |
---|---|
General Settings |
|
Raise event if job fails |
|
Event severity when job fails |
Set the severity level, from 1 to 40, to indicate the importance of an event in which the EventLog (NetLogon) job fails. The default is 35. |
Monitor Windows System log for NetLogon events |
|
Start with events in past |
Set this parameter to control checking for the first job iteration. After the first iteration, checking of the log is incremental:
The default is 0. |
Filtering |
|
Event Types |
|
Error |
Select Yes to monitor Error entries. The default is Yes. |
Warning |
Select Yes to monitor Warning entries. The default is Yes. |
Information |
Select Yes to monitor Information Entries. The default is unselected. |
Other |
|
Filter -- Source |
To monitor events generated by a particular source, enter an appropriate search string. This script looks for matching entries in the Event Log’s Source field. Multiple strings can be entered separated by commas. The search string can contain criteria used to include entries, exclude entries, or both. Separate the include and exclude criteria with a colon (:). If you are specifying only include criteria, the colon is not necessary. |
Filter -- Category |
To monitor events in a particular category, such as Server or Logon, enter an appropriate search string. This script looks for matching entries in the Event Log’s Category field. Multiple strings can be entered separated by commas. The search string can contain criteria used to include entries, exclude entries, or both. Separate the include and exclude criteria with a colon (:). If you are specifying only include criteria, the colon is not necessary. |
Filter -- Event ID |
To monitor particular event IDs, enter an appropriate search string or ID range, for example, 100-2000. This script looks for matching entries in the Event Log’s Event field. Multiple IDs and ranges can be entered, separated by commas and no spaces. For example: 1,2,10-15,202. The search string can contain criteria used to include entries, exclude entries, or both. Separate the include and exclude criteria with a colon (:). If you are specifying only include criteria, the colon is not necessary. |
Filter -- User |
To monitor events associated with a particular user, enter an appropriate search string, for example, <domain name>\<user name>. This script looks for matching entries in the Event Log’s User field. Multiple strings can be entered separated by commas. The search string can contain criteria used to include entries, exclude entries, or both. Separate the include and exclude criteria with a colon (:). If you are specifying only include criteria, the colon is not necessary. |
Filter -- Computer |
To monitor events generated by a particular computer, enter an appropriate search string. This script looks for matching entries in the Event Log’s Computer field. Multiple strings can be entered separated by commas. The search string can contain criteria used to include entries, exclude entries, or both. Separate the include and exclude criteria with a colon (:). If you are specifying only include criteria, the colon is not necessary. |
Filter -- Description |
To monitor events with a particular detail description or containing keywords in the description, enter an appropriate search string. This script looks for matching entries in the Event Log’s Description field. Multiple strings can be entered separated by commas. The search string can contain criteria used to include entries, exclude entries, or both. Separate the include and exclude criteria with a colon (:). If you are specifying only include criteria, the colon is not necessary. |
Event Notification |
|
Raise event if new log entries found? |
Select Yes to raise an event if new log entries are found. The default is Yes. |
Maximum number of entries per event message |
Specify the maximum number of entries to be recorded into each event's detail message. If this script finds more entries from the log than can be put into one event message, it will return multiple events to report all of the outstanding entries in the log. The default is 1 entry. |
Event severity when new event log entries found |
Set the severity level, from 1 to 40, to indicate the importance of an event in which new log entries are fund. The default is 10. |
Data Collection |
|
Collect data for number of matching entries? |
Select Yes to collect data for charts and reports. If enabled, data collection returns the number of Event Log entries that match your filtering criteria. Additional information is supplied in the data detail message. The default is unselected. |