Use this Knowledge Script to receive notification of specified Windows logs for entries that match the criteria you specify. You can filter event log entries by particular field values and set for each event type. Also, you can monitor the legacy Windows event logs, such as Application or System, and the custom event logs under the Applications and Services Logs folder in the Windows Event Viewer. This script raises an event when a log entry matches all your filter criteria. All event log entries that match the filtering criteria are returned in the event detail message.
This script requires the Microsoft EventLog service to be running on the managed client computer.
When you run this script, only new entries that are written to the event log after you start the job are reported. This script does not review the entire event log each time it runs.
On computers where the Security log is updated frequently, such as domain controller computers, consider using the NetIQ Security Manager product to securely and quickly consolidate Security logs with low impact to the server.
NOTE:To specify filters using regular expressions, use the NTEventLogRX Knowledge Script.
Windows 2003 Server or later
The default interval for this script is Asynchronous. Regardless of the schedule you select, once you start the Knowledge Script, its job status appears as Running.
Set the following parameters as needed:
|
Parameter |
How to Set It |
|---|---|
|
General Settings |
|
|
Job Failure Notification |
|
|
Event severity when job fails |
Set the event severity level, from 1 to 40, to indicate the importance of an event in which the job fails. The default is 5. |
|
Event Log Monitoring |
|
|
Event logs to filter |
Provide a comma-separated list of the event logs you want to monitor, or enter an asterisk (*) to monitor all event logs on the agent computer. When monitoring all logs, up to 63 event logs can be monitored by one job, so on agents where more than this number exists, some logs may not be monitored when running a job in this manner. The following is an example of specifying multiple event logs: System,Application,Microsoft-Windows-Bits-Client/Operational The default is Application. NOTE:Monitoring all event logs can have a significant performance impact on the agent computer because every event written will need to be reviewed by the job. |
|
Ignore event log matches occurring during agent maintenance mode? |
Select Yes for the Knowledge Script to ignore event log matches that occur while the agent is in maintenance mode. No events will be raised or data collected for matches that are written to the event logs during this time. The default is Yes. |
|
Filters |
|
|
Use case-sensitivity for specified filter strings? |
Select Yes to enable case-sensitivity for the specified filter strings. The default is unselected. |
|
Event Types |
|
|
Filter critical events? |
Select Yes to filter critical events. The default is Yes. |
|
Filter error events? |
Select Yes to filter error events. The default is Yes. |
|
Filter warning events? |
Select Yes to filter warning events. The default is Yes. |
|
Filter information events? |
Select Yes to filter information events. The default is Yes. |
|
Filter success audit events? |
Select Yes to filter success audit events on agent computers running Windows Server 2003 or prior operating systems. The default is Yes. NOTE:Audit Success is one of the Keywords field in the Security event log on Windows Server 2008 and later. |
|
Filter failure audit events? |
Select Yes to filter failure audit events on agent computers running Windows Server 2003 or prior operating systems. The default is Yes. NOTE:Audit Failure is one of the Keywords field in the Security event log on Windows Server 2008 and later. |
|
Event source filter |
To filter for events generated by a particular source, such as SQLExecutive, SNMP, or Service Control Manager, enter an appropriate filter string. This script looks for matching entries in the event log’s Source field. Multiple strings can be entered separated by commas. There is no default value set, so no filtering by Source takes place by default. You must enter the appropriate source(s) to filter events generated by the source(s). The filter string must contain criteria used to include entries, exclude entries, or both. Separate the include and exclude criteria with a colon (:). If you specify only include criteria, the colon is not necessary. |
|
Event category filter |
To filter events in a particular category, such as Server or Logon, enter an appropriate filter string. The Knowledge Script looks for matching entries in the event log’s Category field. There is no default value set, so no filtering by Category takes place by default. You must enter the appropriate category(ies) to filter events generated by the category(ies). The filter string must contain criteria used to include entries, exclude entries, or both. Separate the include and exclude criteria with a colon (:). If you specify only include criteria, the colon is not necessary. |
|
Event ID filter |
Use this parameter to filter for particular event IDs. Provide an Event ID or ID range, for example 100-2000). This script will look for matching entries in the Event Log Event ID field. Separate multiple IDs and ranges with commas. For example: 1,2,10-15,202 The search string can contain criteria to include entries, exclude entries, or both. Separate include and exclude criteria with a colon (:) using the following format: include:exclude. For example, to include event IDs 10 through 15 and to exclude event ID 202, enter the following: 10-15:202 If you specify only include criteria, the colon is not necessary. There is no default value set, so no filtering by Event ID takes place by default. You must enter the appropriate Event ID(s) to filter events by the Event ID(s). |
|
Event user filter |
To filter events associated with a particular user, enter a filter string that includes the user’s domain name and user name, separated with a backslash “\”, or enter a filter string using just the user name you want events in the monitored event log to contain. For example, NetIQ Corporation\Tom Jones. This script looks for matching entries as they appear in the User field of the event log’s Event Detail dialog box (To view the Event Details dialog box, double-click a log entry in the Event Viewer). Separate multiple strings with commas (,). There is no default value set, so no filtering by User takes place by default. You must enter the appropriate user(s) to filter events generated by specific user(s). The filter string can contain criteria used to include entries, exclude entries, or both. Separate the include and exclude criteria with a colon (:). If you specify only include criteria, the colon is not necessary. |
|
Event computer filter |
To filter events generated by a particular computer, enter an appropriate filter string. This script looks for matching entries in the event log’s Computer field. Multiple strings can be entered separated by commas. There is no default value set, so no filtering by Computer takes place by default. You must enter the appropriate computer(s) to filter events generated by the computer(s). The filter string can contain criteria used to include entries, exclude entries, or both. Separate the include and exclude criteria with a colon (:). If you specify only include criteria, the colon is not necessary. |
|
Event keywords filter |
To filter by keyword for events generated by a particular computer. Provide a search string. This script will look for matching entries in the Event Log Keywords field. Separate multiple strings with commas. The search string can contain criteria to include entries, exclude entries, or both. Separate include and exclude criteria with a colon (:) using the following format: include:exclude. If you specify only include criteria, the colon is not necessary. There is no default value set, so no filtering by Keywords takes place by default. You must enter the appropriate Keywords to filter events containing specific strings in the Keywords field. |
|
Event description filter |
To filter events with a particular detail description, enter an appropriate filter string. This script looks for matching entries in the event log’s Description field. Multiple strings can be entered separated by commas. There is no default value set, so no filtering by Description takes place by default. You must enter the appropriate event log’s description(s) to filter events generated by the event log’s description(s). The filter string can contain criteria used to include entries, exclude entries, or both. Separate the include and exclude criteria with a colon (:). If you specify only include criteria, the colon is not necessary. |
|
Event Notification |
|
|
Raise event if log entries matching criteria are found? |
Select Yes to raise an event when log entries match your filtering criteria. The default is Yes. |
|
Severity for critical events |
Set the event severity level, from 1 to 40, to indicate the importance of an event in which critical events are detected. The default is 5 (red event indicator) |
|
Severity for error events |
Set the event severity level, from 1 to 40, to indicate the importance of an event in which error events are detected. The default is 10 (red event indicator). |
|
Severity for warning events |
Set the event severity level, from 1 to 40, to indicate the importance of an event in which warning events are detected. The default is 15 (yellow event indicator). |
|
Severity for information events |
Set the event severity level, from 1 to 40, to indicate the importance of an event in which information events are detected. The default is 25 (blue event indicator). |
|
Severity for success audit events |
Set the event severity level, from 1 to 40, to indicate the importance of an event in which success audit events are detected. The default is 10 (red event indicator). |
|
Severity for failure audit events |
Set the event severity level, from 1 to 40, to indicate the importance of an event in which failure audit events are detected. The default is 5 (red event indicator). |
|
Data Collection |
|
|
Collect data for log entries that match criteria? |
Select Yes to collect data for charts and reports. When enabled, data collection returns detail about log entries that match your filtering criteria. The default is unselected. |