Use this Knowledge Script to monitor and filter information in custom Windows Event Logs. With this script, you can track Windows event log entries that match filtering criteria. This script works on an incremental basis; it does not fully rescan the entire event log each time it runs. This script returns all event log entries that match the filtering criteria in the event or data point detail message. If you want to monitor the custom Windows event logs on agent computers running Windows Server 2008 or newer, you must have version 3.5 or later of Microsoft's .Net Framework and AppManager for Microsoft Windows 8.0 or later is present on the agent computer, on which you want to run a General_EventLog job.
If you want to monitor a custom event log that appears under Applications and Services Logs in the Microsoft Event Viewer, create the following registry key for that log if the key does not exist:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\<Event log name>
In addition, you must provide a registry key and values for each event source in the custom event log:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\<Event log name>\<Event source>
Under the EventSourceName registry key, create a new string registry value labeled EventMessageFile with the path to the message file used by the custom log. As a result, AppManager loads the full event description text from the message file and displays that text in AppManager events.
NOTE:
Only the most recent batch of events can be viewed in the data point detail message. For example, assume you set this script to scan all previous entries in the event log and list ten matching entries in each event detail message. When the job runs, 30 entries are found that match your filtering criteria. In this case, the job creates three child events for the interval, and each child event contains ten entries: the oldest matching entries in one child event batch, the second oldest in Batch 2, and the most recent in Batch 3. If this same job is collecting data and you view the data detail message for the interval, only the entries from the third child event (Batch 3) are displayed.
When you use text or numeric strings in the Event [...] filter parameters, this script searches event logs and matches the text or numeric string to any part of the event entry. The results are not exact matches. For example, if your filter string is “foo,” results will include “foobar,” “foo,” and “food.”
Windows computer or application server, such as Exchange Server or SQL Server
The default interval for this script is Every 10 minutes.
Set the following parameters as needed:
|
Parameter |
How to Set It |
|---|---|
|
General Settings |
|
|
Job Failure Notification |
|
|
Event severity when job fails |
Set the event severity level, from 1 to 40, to indicate the importance of an event in which the EventLog job fails. The default is 5. |
|
Event Log Monitoring |
|
|
Event logs to monitor |
Provide a comma-separated list of the event logs you want to monitor. For example: System,Application,Security The default is Application. |
|
Number of previous hours to scan logs |
Set this parameter to control how the script scans the logs at the first interval, after which scanning begins where the previous scan ended. Enter one of the following values:
The default is 0. |
|
Maximum number of entries per event report |
Specify the maximum number of entries to be recorded in each event's detail message. If this script finds more entries from the log than can be put into one event message, it will return multiple events to report all the outstanding entries in the log. The default is 30 entries. If this script encounters one or more very large events in the Windows Event log, this script may error out and generate an event message “Out of string space." If this occurs, you can usually work around the problem by adjusting this parameter to a smaller value. |
|
Ignore event log matches occurring during agent maintenance mode? |
Select Yes for the Knowledge Script to ignore event log matches that occur while the agent is in maintenance mode. No events will be raised or data collected for matches that are written to the event logs during this time. The default is unselected. |
|
Event Log Filters |
|
|
Event Types |
|
|
Monitor critical events? |
Select Yes to monitor error event entries. The default is Yes. |
|
Monitor error events? |
Select Yes to monitor error event entries. The default is Yes. |
|
Monitor warning events? |
Select Yes to monitor warning event entries. The default is Yes. |
|
Monitor information events? |
Select Yes to monitor information event entries. The default is Yes. |
|
Monitor success audits? |
Select Yes to monitor success audit event entries. Success audits are successful security access attempts that are audited. The default is Yes. NOTE:This option only applies to computers with WiN2003. |
|
Monitor failure audits? |
Select Yes to monitor failure audit event entries. Failure audits are failed security access attempts that are audited. The default is Yes. NOTE:This option only applies to computers with WiN2003. |
|
Event source filter |
Use this parameter to filter for events generated by a particular source, which can be the name of a program, a system component, or a component of a large program. For example, SQLExecutive, SNMP, or the Service Control Manager. Provide a search string. This script will look for matching entries in the Event Log Source field. Separate multiple strings with commas. The search string can contain criteria to include entries, exclude entries, or both. Separate include and exclude criteria with a colon (:) using the following format: include:exclude. For example, to include all SQL sources and to exclude all SNMP sources, enter the following: SQL:SNMP If you specify only include criteria, the colon is not necessary. |
|
Event category filter |
Use this parameter to filter for events in a particular category, such as Server or Logon. Provide a search string. This script will look for matching entries in the Event Log Category field. Separate multiple strings with commas. The search string can contain criteria to include entries, exclude entries, or both. Separate include and exclude criteria with a colon (:) using the following format: include:exclude. For example, to include the Server category and to exclude the Logon category, enter the following: Server:Logon If you specify only include criteria, the colon is not necessary. |
|
Event ID filter |
Use this parameter to filter for particular event IDs. Provide a search string or ID range, for example 100-2000). This script will look for matching entries in the Event Log Event field. Separate multiple IDs and ranges with commas. For example: 1,2,10-15,202 The search string can contain criteria to include entries, exclude entries, or both. Separate include and exclude criteria with a colon (:) using the following format: include:exclude. For example, to include event IDs 10 through 15 and to exclude event ID 202, enter the following: 10-15:202 If you specify only include criteria, the colon is not necessary. |
|
Event user filter |
Use this parameter to filter for events associated with a particular user. Provide a search string, for example, <domain name>\<user name>. This script will look for matching entries in the Event Log User field. Separate multiple strings with commas. The search string can contain criteria to include entries, exclude entries, or both. Separate include and exclude criteria with a colon (:) using the following format: include:exclude. For example, to include events for user Joe and exclude events for user Sam, both of whom are in the RALQE domain, enter the following: RALQE\Joe:RALQE\Sam If you specify only include criteria, the colon is not necessary. |
|
Event computer filter |
Use this parameter to filter for events generated by a particular computer. Provide a search string. This script will look for matching entries in the Event Log Computer field. Separate multiple strings with commas. The search string can contain criteria to include entries, exclude entries, or both. Separate include and exclude criteria with a colon (:) using the following format: include:exclude. For example, to include all computers with SFO in the hostname and to exclude all computers with RDU in the hostname, enter the following: *SFO*:*RDU* If you specify only include criteria, the colon is not necessary. |
|
Event keywords filter |
Use this parameter to keyword for events generated by a particular computer. Provide a search string. This script will look for matching entries in the Event Log Computer field. Separate multiple strings with commas. The search string can contain criteria to include entries, exclude entries, or both. Separate include and exclude criteria with a colon (:) using the following format: include:exclude. For example, to include all computers with SFO in the hostname and to exclude all computers with RDU in the hostname, enter the following: *SFO*:*RDU* If you specify only include criteria, the colon is not necessary. |
|
Event description filter |
Use this parameter to filter for events with a particular detail description or containing keywords in the description. Provide a search string. This script will look for matching entries in the Event Log Description field. Separate multiple strings with commas. The search string can contain criteria used to include entries, exclude entries, or both. Separate include and exclude criteria with a colon (:) using the following format: include:exclude. For example, to include the keyword error and to exclude the keyword RSVP, enter the following: error:RSVP If you specify only include criteria, the colon is not necessary. |
|
Event Notification |
|
|
Use XML format for event message |
Select Yes for event detail created by this Knowledge Script to be composed of XML. The default is unselected. NOTE:This parameter is only applicable when the agent computer is running version 8.0 or later of AppManager for Microsoft Windows. |
|
Raise event if log entries matching criteria are found? |
Select Yes to raise an event when log entries match your filtering criteria. The default is Yes. |
|
Raise event grouped by EventID |
Select Yes to raise an event classified based on each event ID. The default is unselected. |
|
Raise event only when event log threshold is crossed? |
Select Yes to raise an event when the threshold is crossed. The default is Yes. |
|
Threshold value per event log |
Specify the maximum number of matches to your search criteria that can be found before an event is raised. The default is 1. |
|
Event severity when log entries match criteria |
Set the event severity level, from 1 to 40, to indicate the importance of an event in which log entries match your search criteria. The default is 15 (red event indicator). Tip You can adjust the severity based on which log or type of event you are checking for. |
|
Raise event if log cannot be accessed? |
Select Yes to raise an event when the log file cannot be read or reached. The default is Yes. |
|
Event severity when a log is inaccessible |
Set the event severity level, from 1 to 40, to indicate the importance of an event in which the log file cannot be read or reached. The default is 10. |
|
Data Collection |
|
|
Collect data for log entries that match criteria? |
Select Yes to collect data for charts and reports. When enabled, data collection returns detail about log entries that match your filtering criteria. The default is unselected. |
|
Separate data by log file? |
Select Yes to separate event entries from different log files into different datastreams. If unselected, all event entries matching your filtering criteria are placed in the same datastream and the data detail message may include event entries from multiple log sources. For example, if you are monitoring both the System and Application logs, you can enable this parameter so that events in the System log are tracked separately from events in the Application log. The default is unselected. |
You can customize this script in many ways based on your requirements. For example, for general system events, you can set the following options when detecting security failures:
|
Properties and Parameters |
How You Might Set Them |
|---|---|
|
Schedule interval |
10 minutes |
|
Raise event if log entries match criteria? |
Yes |
|
Log files to filter |
Security |
|
Monitor failure audits? |
Yes |
|
Event severity when event log entries match criteria |
2 |
|
Action |
MapiMail |
With this scenario, on the Schedule tab in the Knowledge Script Properties dialog box, set the interval to Run every 10 minutes because you want a short window for checking for this type of problem.
On the Values tab, enable the Raise event if log entries match criteria? parameter, indicate you will monitor failure audits in the Security log, and set the event severity to 2, indicating this is a very serious event that should be highly visible. Leave the other filtering options blank.
On the Action tab, indicate that you want an email sent when an event is raised. With these settings, AppManager will regularly check for security failures and will notify you, or whoever you designate, through email if any security failure events are detected.
Another example of how to use this script to detect all problems with your SQL Server could involve setting up the script job like this:
|
Properties and Parameters |
How You Might Set Them |
|---|---|
|
Schedule interval |
30 minutes |
|
Raise event if log entries match criteria? |
Yes |
|
Log files to filter |
Application |
|
Monitor error events? |
Yes |
|
Event source filter |
MSSQLServer |
|
Event severity when event log entries match criteria |
8 |
|
Action |
MapiMail |
Another way you can use this script is to collect data and graph a trend chart from your System event log:
|
Properties and Parameters |
How You Might Set Them |
|---|---|
|
Schedule interval |
1 hour |
|
Collect data for log entries that match criteria? |
Yes |
|
Log files to filter |
System |
|
All other filters |
not set |
|
Action |
Null |
If you choose to collect data, the script returns the number of matched entries as the primary data point to be graphed. The first batch of filtered results can be viewed in the detail data message when you double-click a data point. Additional matching entries may be included in the graph. The peaks and valleys in the graph indicate a large number of events or low event activity.