Use this Knowledge Script to scan specified Windows logs for entries that match the criteria you specify. You can filter the event log entries by event type and by specifying a combination of include and exclude strings for each event field using regular expressions. This script raises an event when a log entry matches all your filter criteria. All event log entries that match the filtering criteria are returned in the event detail message.
Use the Filter the [...] field with parameters to control which fields to filter and the filtering criteria to use to find specific information, such as events associated with a specific user or computer name. With this script, specify the filtering criteria for each field you are interested in using a regular expression, or specify the name of a file that contains all your filtering criteria.
For more information, see Section 10.1, Creating Filters with Regular Expressions.
Once you start the Knowledge Script job, any new entries written to the event log that match your criteria are reported. This script does not scan the entire log for any previously-reported events.
This scripts requires the Microsoft EventLog service to be running on the managed client computer.
On computers where the Security log is updated frequently, such as domain controller computers, consider using the NetIQ Security Manager product to securely and quickly consolidate Security logs with low impact to the server. For more information, visit the NetIQ Web site at http://www.netiq.com/products/sm/default.asp.
Windows 2003 Server or later
The default interval for this script is Asynchronous. Regardless of the schedule you select, once you start the Knowledge Script, its job status appears as Running.
Set the following parameters as needed:
Parameter |
How to Set It |
---|---|
General Settings |
|
Job Failure Notification |
|
Event severity when job fails |
Set the event severity level, from 1 to 40, to indicate the importance of an event in which the job fails. The default is 5. |
Event Log Monitoring |
|
Filters |
|
Use case-sensitivity for specified filter strings? |
Select Yes to enable case-sensitivity for the specified filter strings. The default is unselected. |
Event logs to filter |
Provide a comma-separated list of the event logs you want to monitor, or enter an asterisk (*) to monitor all event logs on the agent computer. When monitoring all logs, up to 63 event logs can be monitored by one job, so on agents where more than this number exists, some logs may not be monitored when running a job in this manner. The following is an example of specifying multiple event logs: System,Application,Microsoft-Windows-Bits-Client/Operational NOTE:Monitoring all event logs can have a significant performance impact on the agent computer because every event written will need to be reviewed by the job. |
Filter the … field with the regular expression |
Use a regular expression to indicate the criteria to look for in each event log field:
|
Full path to a file containing filtering criteria |
To specify matching expressions in an external file, type the full path to a file containing the filtering criteria you want to match. For example: C:\TEMP\MyFilters.txt. NOTE:If you specify a filter file, AppManager ignores the Filter the [...] field with parameters. However, if AppManager cannot process the filter file, the script raises an event (for example, fail to process filter file C:\async.xml). For additional information, see Using an External Filter File. |
Event Notification |
|
Raise event if log entries matching criteria are found? |
Select Yes to raise an event when log entries match your filtering criteria. The default is Yes. |
Severity for critical events |
Set the event severity level, from 1 to 40, to indicate the importance of an event in which critical events are detected. The default is 5 (red event indicator). |
Severity for error events |
Set the event severity level, from 1 to 40, to indicate the importance of an event in which error events are detected. The default is 10 (red event indicator). |
Severity for warning events |
Set the event severity level, from 1 to 40, to indicate the importance of an event in which warning events are detected. The default is 15 (yellow event indicator). |
Severity for information events |
Set the event severity level, from 1 to 40, to indicate the importance of an event in which information events are detected. The default is 25 (blue event indicator). |
Severity for success audit events |
Set the event severity level, from 1 to 40, to indicate the importance of an event in which success audit events are detected. The default is 10 (red event indicator). |
Severity for failure audit events |
Set the event severity level, from 1 to 40, to indicate the importance of an event in which failure audit events are detected. The default is 5 (red event indicator). |
Data Collection |
|
Collect data for log entries that match criteria? |
Select Yes to collect data for charts and reports. When enabled, data collection returns detail about log entries that match your filtering criteria. The default is unselected. |
Use this Knowledge Script to specify regular expressions for each event log field as script properties or maintain your search criteria independent of the script parameters in a separate filter file.
In many cases, specifying an external filter file provides greater flexibility and makes modifying your search criteria more straightforward, because you can add almost any number of expressions. You do not need to modify the script properties through the Operator Console or Control Center to pick up your changes.
To use a filter file:
Identify the strings that you want to find a match for (that is, the entries you want to include in your results).
Create a text file with one regular expression string per line to locate matching strings. Each line in the file consists of a parameter keyword followed by a colon (:), a tab or blank space, and the regular expression. Or the filter file can be written in XML.
Ensure the file exists on the target computer.
Provide the absolute path to the file on the local computer in the Full path to a file containing filtering criteria parameter and start the job.
There are two valid formats for the filter file: a simple table format to define the strings to include, and an XML format that allows you to define more complex include and exclude filtering. For both formats, the parameter name keywords are required, but the field values can be left blank if no filtering is needed.
Select a file format appropriate for the complexity of the filtering you need to do.
The table format provides a simple way to create the filter file. Each filtering section in the file begins with EventStart and ends with EventEnd. If an entry in the event log matches all the criteria you specified within a filtering section, it is considered a match and an event is raised in AppManager. If you have more than one filtering section, an entry matching either section raises an event.
For example, the following table format file provides two filter sections:
EventStart CaseSensitive: n Log: System Type: Error|Warning|Information Source: ^SQL* Category: * EVENTID: 1[0-9][0-9][0-9] User: Sam|Joe|Chris Computer: SFO* Description: ($Error.*)|(.*error.*occurred.$) EventEnd EventStart CaseSensitive: n Log: Application Type: Error|Warning|Information Source: ^SQL* Category: * EVENTID: 1[0-9][0-9][0-9] User: Sam|Joe|Chris Computer: SFO* Description: ($Error.*)|(.*error.*occurred.$) EventEnd
NOTE:If you specify only one filter section, do not include the EventStart and EventEnd lines in the file.
The XML format is somewhat more sophisticated and more flexible than the table format. The XML format allows you to set both include and exclude filters using the <Include> and <Exclude> tags and to combine these filter sets to define the search criteria. Each filtering section in the file begins with the <Events> tag. An log entry must match all the criteria you specified within a filtering section for it to be considered a match.
For example:
<?xml version = "1.0" standalone = "yes"?> <EventLogConfig Name = "Event Filter" Type = "EVENT_FILTER_CUSTOM" ID = "76"> <Include> <Events> <Log>Application</Log> <Type>INFORMATION|WARNING|ERROR</Type> <Source><Net*]></Source> <Category>*</Category> <EVENTID>2*</EVENTID> <User>*</User> <Computer>*</Computer> <Description><![CDATA[Event.]]></Description> <CaseSensitive>y</CaseSensitive> </Events> <Events> <Log>System</Log> <Type>Warning</Type> <Source>RSVP</Source> <Category>*</Category> <EVENTID>*</EVENTID> <User>*</User> <Computer>SHASTA</Computer> <Description>RSVP*</Description> <CaseSensitive>y</CaseSensitive> </Events> </Include> </EventLogConfig>
NOTE:If a field contains a regular expression that conflicts with XML syntax or includes special characters, you can use ![CDATA[regular_expression]] to enclose the expression and prevent parsing problems.