Use this Knowledge Script to monitor and filter Microsoft Windows Event Log entries created by the Microsoft Cluster Server (entries that have ClusSvc as their Source in the System Log). This script tracks Windows event log entries that match a set of filtering criteria and notifies you when a log entry that meets the filtering criteria is generated during the monitoring interval.
This script works on an incremental basis, meaning it does not fully rescan the event log each time it runs, and all log entries that match the filtering criteria are returned in the event or data point detail message.
Microsoft Cluster Server
In Windows Server 2003 environments, run this script on only one node to avoid duplication of events. Running this script on multiple nodes results in multiple scannings of the same Event Log, which in turn results in duplicate events for the same Event Log entries.
By default, this script runs every 30 minutes.
Set the following parameters as needed:
|
Description |
How to Set It |
|---|---|
|
Raise event? |
Set to y to raise an event if log entries match your search criteria. The default is y. NOTE:The format for Event log entries in Windows Server 2008 differs slightly from the format of Event log entries in Windows Server 2003. This difference can affect the information displayed in an event message for events raised on failover clusters. Specifically, for Windows Server 2003, the Description in the event message is an alphabetic value derived from the ResourceName and ResourceGroup fields in the Event log. In Windows Server 2008, the Description may be a numeric value or may be blank, depending on the contents of the ResourceName and ResourceGroup fields. |
|
Collect data? |
Set to y to collect data for charts and reports. The default is n. If enabled, data collection returns the number of new event log entries, and the detailed message lists the log entries. |
|
Events in past N hours |
Set this parameter to control checking for the first interval (after which checking is incremental):
|
|
Monitor for error events? |
Set to y to monitor the Event Log for error events. The default is y. |
|
Monitor for warning events? |
Set to y to monitor the Event Log for warning events. The default is y. |
|
Monitor for information events? |
Set to y to monitor the Event Log for information events. The default is y. |
|
Monitor for success audit events? |
Set to y to monitor the Event Log for success audit events. The default is y. |
|
Monitor for failure audit events? |
Set to y to monitor the Event Log for failure audit events. The default is y. |
|
Filter the Event Category field for |
To monitor for events in a particular category (for example Server or Logon), enter an appropriate search string. This script looks for matching entries in the Event Log Category field. Multiple strings can be entered separated by commas. The search string can contain criteria used to include entries, exclude entries, or both. Separate the include and exclude criteria with a colon (:). If you are specifying only include criteria, the colon is not necessary. |
|
Filter the Event ID field for |
To monitor for particular event IDs, enter an appropriate search string. This script looks for matching entries in the Event Log Event field. Multiple IDs and ranges can be entered separated by commas. For example: 1,2,10-15,202. The search string can contain criteria used to include entries, exclude entries, or both. Separate the include and exclude criteria with a colon (:). If you are specifying only include criteria, the colon is not necessary. |
|
Filter the Event User field for |
To monitor for events associated with a particular user, enter an appropriate search string. This script looks for matching entries in the Event Log’s User field. Multiple strings can be entered separated by commas. The search string can contain criteria used to include entries, exclude entries, or both. Separate the include and exclude criteria with a colon (:). If you are specifying only include criteria, the colon is not necessary. |
|
Filter the Event Computer field for |
To monitor for events generated by a particular computer, enter an appropriate search string. This script looks for matching entries in the Event Log Computer field. Multiple strings can be entered separated by commas. The search string can contain criteria used to include entries, exclude entries, or both. Separate the include and exclude criteria with a colon (:). If you are specifying only include criteria, the colon is not necessary. |
|
Filter the Event Description field for |
To monitor for events with a particular detail description or containing keywords in the description, enter an appropriate search string. This script looks for matching entries in the Event Log Description field. Multiple strings can be entered separated by commas. The search string can contain criteria used to include entries, exclude entries, or both. Separate the include and exclude criteria with a colon (:). If you are specifying only include criteria, the colon is not necessary. |
|
Maximum number of entries per event report |
Specify the maximum number of entries that can be recorded into each event's detail message before an event is raised. If this script finds more entries from the log than can be put into one event report, it raises multiple events to report all the outstanding entries in the log. The default is 30 entries. |
|
Event severity level when log entries match search criteria |
Set the event severity level, from 1 to 40, to indicate the importance of an event in which log entries match your search criteria. The default is 8 (red event indicator). You can adjust the severity depending on the log or type of event you are checking. |
|
Event severity level when job fails |
Set the event severity level, from 1 to 40, to indicate the importance of an event in which the EventLog job fails unexpectedly. The default is 35 (magenta event indicator). |