6.32 SREventLog

Use this Knowledge Script to periodically scan the Windows Application event log for entries created by the System Restore service that match the criteria you specify. This script raises an event if an entry matches criteria you specify. The event detail message provides more information about the event.

In the first interval, the value you specify for the Start with events in past N hours parameter determines how far back in the log to check for matching entries. As the script continues to run at subsequent intervals, it checks for any new entries created since the last time the log was checked.

You can further restrict the types of log entries that generate an event in two ways:

  • Use the Monitor for events of type [...] parameters to search only certain types of events, such as Warning events.

  • Use the Filter the [...] field for parameters to search only for specific information, such as events associated with a specific user or computer name.

Each time this script runs, it checks the Windows Application event log for entries matching your selection criteria and raises an event if matching entries are found. The event detail message returns the text of the log entries found. When this script is set to collect data, it returns the number of log entries found, and the data point detail message returns the text of the log entries.

6.32.1 Resource Object

System Restore folder

6.32.2 Default Schedule

The default interval for this script is Every 30 minutes.

6.32.3 Setting Parameter Values

Set the following parameters as needed:

Parameter

How to Set It

Raise event if matching log entries found?

Set to y to raise an event when the log contains entries that match your search criteria. The default is y.

Collect data for matching log entries found?

Set to y to collect data for charts and reports. If enabled, data collection returns the number of log entries found. The data point detail message returns the text of the log entries. The default is n.

Start with events in past N hours

Set this parameter to determine which part of the log to search the first time the job runs. Subsequent searches begin where the previous one finished. The following entries are valid:

  • -1 to search all existing log entries during the first interval

  • n to search entries for the past n hours (8 for the past 8 hours, 50 for the past 50 hours, for example.)

  • 0 to search no previous entries (search from the current time forward)

The default is 0.

Monitor for events of type:

Set to y for each type of event you want to monitor:

  • Error

  • Warning

  • Information

  • Success Audit

  • Failure Audit

If you disable any of these event types, that type of log entry does not raise an event, is not returned in an event detail message, and is not collected as data if you enabled Collect data for matching log entries found?

The default is y.

Filter the [...] field for

To limit the types of entries that raise events and the type of data that is collected, enter a search string that filters the following fields in the event log:

  • Category.  Specify one or more text strings to look for in the Category field. Separate multiple strings with commas.

  • Event ID. Specify single or multiple event IDs. Separate multiple entries with commas. To specify a range of event IDs, use a hyphen. For example: 414,1028-1400,4015.

  • User. Specify a single or multiple user names to look for. Separate multiple entries by commas. For example: Pat,Chris,Alex.

  • Computer. Specify a single or multiple computer names or IP addresses to look for. Separate multiple entries by commas. For example: SHASTA,MARS.

  • Event Description. Specify a detail description or keywords in the description. The string can contain spaces, underscores, and periods. Separate multiple entries with commas. For example: no domain,critical error from the Active Directory.

The search string can contain criteria used to include entries, exclude entries, or both.

  • Separate the include and exclude criteria with a colon (:). For example, zones,caching:primary or secondary.

  • Separate multiple include or exclude entries with commas. For example, finance,sales:corp00,HQ.

  • If you are specifying only include criteria, the colon is not necessary. For example, primary DNS domain.

  • If you are specifying only exclude criteria, start the search string with a colon. For example, :online help.

Maximum number of entries per event message

Specify the maximum number of log entries to be included in each event's detail message. If this script finds more entries in the log than the specified maximum, it will return multiple events to report the number of entries you have specified. The default is 30 entries.

Event severity when matching entries found

Set the event severity level, from 1 to 40, to indicate the importance of an event in which the log contains entries that match your search criteria. The default is 8 (red event indicator).