Use this Knowledge Script to track Windows event log entries that match filtering criteria you specify. This script works on an incremental basis (it does not fully rescan the event log each time it runs), and all event log entries that match the filtering criteria are returned in the event or data point detail message.
This script works in the same fashion as the EventLog Knowledge Script, but removes the header information and returns only the description of the event.
NOTE:Only the most recent batch of events can be viewed in the data point detail message. For example, you might set this script to scan all previous entries in the event log and list ten matching entries in each event detail message. When the job runs, 30 entries are found that match your filtering criteria. In this case, the script creates three child events for the interval. Each child event contains ten entries: the oldest matching entries in one child event batch, the second oldest in Batch 2, and the most recent in Batch 3. If this job is collecting data, and you view the data detail message for the interval, only the entries from the third child event (Batch 3) are displayed.
Windows computer or application server such as Exchange Server or SQL Server
The default interval for this script is Every 10 minutes.
Set the following parameters as needed:
|
Parameter |
How to Set It |
|---|---|
|
Raise event if log entries match criteria? |
Set to y to raise an event when log entries match your filtering criteria. The default is y. |
|
Collect data for log entries that match criteria? |
Set to y to collect data for charts and reports. When enabled, data collection returns detail about log entries that match your filtering criteria. The default is n. |
|
Separate data by log file type? |
Set to y to separate event entries from different log files into different datastreams. If set to n, all event entries matching your filtering criteria are placed in the same datastream and the data detail message may include event entries from multiple log sources. For example, if you are monitoring both the System and Application logs, you can enable this parameter so that events in the System log are tracked separately from events in the Application log. The default is n. |
|
Log files to filter (Application, Security, System) |
Specify the event log you want to monitor. You can specify multiple event logs, separated by commas. For example: System,Application,Security The default is Application. |
|
Log scanning for first interval |
Set this parameter to control how the script scans the logs at the first interval, after which scanning begins where the previous scan ended. Enter one of the following values:
The default is 0. |
|
Monitor error events? |
Set to y to monitor error event entries. The default is y. |
|
Monitor warning events? |
Set to y to monitor warning event entries. The default is y. |
|
Monitor information events? |
Set to y to monitor information event entries. The default is y. |
|
Monitor success audits? |
Set to y to monitor success audit event entries. Success audits are successful security access attempts that are audited. The default is y. NOTE:This parameter applies to WinOS2003 only. With Windows Vista or Windows Server 2008 or higher, you monitor success audits using keywords. |
|
Monitor failure audits? |
Set to y to monitor failure audit events entries. Failure audits are failed security access attempts that are audited. The default is y. NOTE:This parameter applies to WinOS2003 only. With Windows Vista or Windows Server 2008 or higher, you monitor failure audits using keywords. |
|
Event source filter |
To filter for events generated by a particular source (such as SQLExecutive, SNMP, or the Service Control Manager), enter a search string. This script will look for matching entries in the Event Log’s Source field. Separate multiple strings with commas. The search string can contain criteria used to include entries, exclude entries, or both. Separate the include and exclude criteria with a colon (:). If you specify only include criteria, the colon is not necessary. |
|
Event category filter |
To filter for events in a particular category (such as Server or Logon), enter a search string. This script will look for matching entries in the Event Log’s Category field. Separate multiple strings with commas. The search string can contain criteria used to include entries, exclude entries, or both. Separate the include and exclude criteria with a colon (:). If you specify only include criteria, the colon is not necessary. |
|
Event ID filter |
To filter for particular event IDs, enter a search string or ID range, for example 100-2000. This script will look for matching entries in the Event Log’s Event field. Separate multiple IDs and ranges with commas. For example: 1,2,10-15,202. The search string can contain criteria used to include entries, exclude entries, or both. Separate the include and exclude criteria with a colon (:). If you specify only include criteria, the colon is not necessary. |
|
Event user filter |
To filter for events associated with a particular user, enter a search string, for example, <domain name>\<user name>) This script will look for matching entries in the Event Log’s User field. Separate multiple strings with commas. The search string can contain criteria used to include entries, exclude entries, or both. Separate the include and exclude criteria with a colon (:). If you specify only include criteria, the colon is not necessary. |
|
Computer filter |
To filter for events generated by a particular computer, enter a search string. This script will look for matching entries in the Event Log’s Computer field. Separate multiple strings with commas. The search string can contain criteria used to include entries, exclude entries, or both. Separate the include and exclude criteria with a colon (:). If you specify only include criteria, the colon is not necessary. |
|
Event description filter |
To filter for events with a particular detail description or containing keywords in the description, enter a search string. This script will look for matching entries in the Event Log’s Description field. Separate multiple strings with commas. The search string can contain criteria used to include entries, exclude entries, or both. Separate the include and exclude criteria with a colon (:). If you specify only include criteria, the colon is not necessary. |
|
Maximum number of entries per event report |
Specify the maximum number of entries to be recorded in each event's detail message. If this script finds more entries from the log than can be put into one event message, it will return multiple events to report all the outstanding entries in the log. The default is 30 entries. If this script encounters one or more very large events in the Windows Event log, this Knowledge Script may error out and generate an event message "Out of string space." If this occurs, you can usually work around the problem by adjusting this parameter to a smaller value. |
|
Event severity when event log entries match criteria |
Set the event severity level, from 1 to 40, to indicate the importance of an event in which log entries matched your search criteria. The default is 8 (red event indicator). Tip You can adjust the severity based on which log or type of event you are checking for. |
You can customize this script in many ways based on your requirements. For example, for general system events, you can set the following options when detecting security failures:
|
Properties and Parameters |
How You Might Set Them |
|---|---|
|
Schedule interval |
10 minutes |
|
Raise event if log entries match criteria? |
y |
|
Log files to filter |
Security |
|
Monitor failure audits? |
y |
|
Event severity when event log entries match criteria |
2 |
|
Action |
MapiMail |
With this scenario, on the Schedule tab in the Knowledge Script Properties dialog box, set the interval to Once very 10 minutes because you want a short window for checking for this type of problem.
On the Values tab, enable the Raise event if log entries match criteria? parameter. Set Log files to filter to Security and set Monitor failure audits? to y. Set the Event severity level parameter to 2, indicating this is a very serious event that you want to be highly visible. Leave the other filtering options blank.
On the Action tab, indicate that you want an e-mail sent if an event is raised. With these settings, AppManager will regularly check for security failures and will notify you, or whoever you designate, through e-mail if any security failure events are detected.
Another example of how to use this script to detect all problems with your SQL Server involves setting up the Knowledge Script job as follows:
|
Properties and Parameters |
How You Might Set Them |
|---|---|
|
Schedule interval |
30 minutes |
|
Raise event if log entries match criteria? |
y |
|
Log files to filter |
Application |
|
Monitor error events? |
Error |
|
Event source filter |
MSSQLServer |
|
Event severity when event log entries match criteria |
8 |
|
Action |
MapiMail |
Another way you can use this Knowledge Script is to collect data and graph a trend chart from your System event log:
|
Properties and Parameters |
How You Might Set Them |
|---|---|
|
Schedule interval |
1 hour |
|
Collect data for log entries that match criteria? |
y |
|
Log files to filter |
System |
|
All other filters |
not set |
|
Action |
Null |
If you select the data collection option, this script returns the number of matched entries as the primary data point to be graphed. The first batch of filtered results can be viewed in the detail data message when you double-click a data point. Additional matching entries may be included in the graph. The peaks and valleys in the graph indicate a large number of events (something unusual) or low event activity (quiet and all “OK”).