Configuring Windows Event Log
This topic provides information about configuring and monitoring Windows event logs.
Windows event logs basic configuration video
Click to view a short video (4:48) of how to configure Windows event logs for monitoring.
Windows event logs advanced configuration video
Click to view a short video (7:09) of how to configure Windows event logs for monitoring.
Configuration details
On the Add Monitoring Configuration window, set the following preferences:
Monitoring Solution | Monitor Profile | Monitor Type |
---|---|---|
Microsoft Windows Servers | Event Log Operating System | Windows Event Log |
Field | Description | ||
---|---|---|---|
List of Event Logs | Click Add to configure the event logs that you want to monitor. | ||
Log Name | Enter the event log name for which you want to create a filter. For example, you can enter Microsoft-Windows-WinRM/Operational. |
||
Forward Windows Events To Event Manager | Select one of the following options:
|
||
Use File Bookmark | Select the check box if you want that each event log uses a checkpoint value to guarantee that no events are missed if the PATROL Agent or the KM is not loaded for a period of time. | ||
List of Filters |
In this section, click Add and enter the filter details. |
||
Filter Details | |||
Name | Enter a unique name that represents the event filter, and follows these rules:
|
||
Description | Enter a short description of the filter you are creating. | ||
Report/Notify | Select one of the following options:
|
||
Source Details | |||
List of Sources |
Click Add and enter the event log source name or a regular expression. You can add multiple sources. In the list of sources, beside a source name, you also get a menu to edit, delete, or clone a source. |
||
Use name as a regular expression | Select this check box if you specified a regular expression in the Name field. | ||
Disable case sensitivity | Select this check box to disable case sensitivity for the source filtering. You can specify whether to make filter comparisons in a case-independent manner for the source, user, category, and string options of a Windows event filter. To disable case-independent comparisons for any of the options, ensure that the corresponding Disable Case Sensitivity check box while configuring windows event monitoring is cleared. The /PSX_P4WinSrvs/PWK_PKMforMSWinOS_config/EventLogMonitoring/eventlog/EventFilters/filter/FilterDisableCase configuration variable stores information about case-sensitivity of the event filter options. This variable has five bit values, depending upon case sensitivity, one bit corresponding to each of Source, User, Category, String, and Computer name, respectively. If any bit value is 1, a case-independent filter comparison is made for the corresponding field. You can set this variable to either of the following values:
To disable case-sensitivity in the event filters, set the value of the FilterDisableCase configuration variable to 00000. |
||
Include/Exclude Source List | Select one of the following options:
|
||
Event Type Details | |||
Event Types to Monitor | Select one or more of the following event types to use in the filter for monitoring.
|
||
Consolidate event types when reporting | Select this option if you want various types of events (for example, Warning, Information, Error) to be reported by using one parameter, ELMStatus (or ELMNotification if you configured to be notified immediately when an error occurs while defining the Report/Notify option). If you want to have separate parameters for each event type that can raise alarms independently, clear this check box, |
||
Event ID Details | |||
List of Event IDs | Click Add and add the windows events. You can enter one or multiple IDs in the following ways:
Comma-separated list of multiple event IDs is not supported. For example: 100,110,120 In the list of Windows events, beside a name, you also get a menu to edit, delete, or clone an event. |
||
Use Event ID as a regular expression | Select this check box if you specified a regular expression in the Windows Event ID(s) field. | ||
Include/Exclude Event ID List | Select one of the following options:
|
||
Event Handling | |||
Annotate Graph parameter with event details | Annotates the PATROL Agent parameter graphs associated with this event filter with information about the event. You can display the annotations by placing the cursor over the graph data points. | ||
Annotate Additional Event Data | Select this check box to annotate additional event data for the event in the annotation. You can display the annotations by placing the cursor over the graph data points. Note: Restart the PATROL Agent to apply the changes. |
||
Write event details to a text parameter | Writes details about the events that occur to a parameter. Depending on which event types the filter monitors, the following parameters are used to report this data:
|
||
Use event details for a recovery action | Saves information about the event in the agent configuration variable RetainEventDescriptions so that you can use this information in recovery actions that you create. For example, if you create a recovery action that generates an e-mail when the event filter alarms, you could include the event description in the e-mail. If you don’t use recovery actions or don’t plan to use them, deselect this option to limit use of the agent database space. For more information, see Retained event descriptions. |
||
Report multiple events as a single event when the event occurs | Enables event consolidation under the conditions you specify. If X number of events (of any type) occur within X seconds or minutes, they are reported using one parameter. Only one datapoint is used, but the datapoint annotation contains information about each of the events that occurred. For more information on event consolidation, see Event Type dialog box. To return to the default setting (not reporting multiple events as one event and not consolidating events), enter 0 as the number of times that the event occurs. By default, this value is set to 1. |
||
Time within seconds | Specify the number of seconds that must be used for reporting multiple events as a single event. By default, this value is set to 0. The maximum accepted value for this field is 35791394 minutes. |
||
Enter text automatic or Filter name to Acknowledge Alarm | Specify how you want to acknowledge the alarm raised by the event filter. You can specify one of the following values:
By default, this value is set to automatic. |
||
Advanced Properties | |||
User Details | |||
List of Users | In this section, click Add and add user names associated with the events that you want to monitor or exclude from monitoring. Note: When you enter a user name that includes special characters that are used in regular expressions (such as $, a period (.), parenthesis (), or a slash (\)), you must escape each special character with a slash. For example, if the user name is $Smith, you must enter the user name as \$Smith. Event log filter fails to filter events generated with user-based filters entered with a user@domain.com format. Use just the user name (for example, Administrator) or the Domain\User format (e.g. CIVILWAR\Administrator). |
||
Include/Exclude User List | Select one of the following options:
|
||
Disable Case Sensitivity | Select this check box to disable case sensitivity for the filter comparisons. |
||
Category Details | |||
List of Categories |
In this section, click Add and enter category details for the events you want to monitor. In the Category Name field, enter the category name associated with the events that you want to monitor or exclude from monitoring. In the list of categories, beside a name, you also get a menu to edit, delete, or clone a category. Note: When entering a category that includes special characters that are used in regular expressions (such as, $, a period (.), a parenthesis (), or a slash (\)), you must escape each special character with a slash. For example, if the category is $Smith, you must enter the category as \$Smith. Event log filter fails to filter events generated with user-based filters entered with a user@domain.com format. Use just the user name (e.g. Administrator) or the Domain\User format (e.g. CIVILWAR\Administrator). |
||
Include/Exclude Category List | Select one of the following options, as appropriate:
|
||
Disable Case Sensitivity | Select this check box to disable case sensitivity for the filter comparisons. | ||
String Details | |||
List of Strings to Include | In this section, click Add and enter the string from event description associated with the events that you want to monitor. When you are entering a string that includes special characters that are used in regular expressions, such as a dollar sign ($), a period (.), a parenthesis (), or a slash (), you must escape each special character with a slash. For example, if the string is $Error, you must enter the string as \$Error. You can add multiple strings. In the list of strings, beside a name, you also get a menu to edit, delete, or clone a string. |
||
List of Strings to Exclude | In this section, click Add and enter the string from the event description associated with the events. When you are entering a string that includes special characters that are used in regular expressions, such as a dollar sign ($), a period (.), a parenthesis (), or a slash (), you must escape each special character with a slash. For example, if the string is $Error, you must enter the string as \$Error. You can add multiple strings. In the list of strings, beside a name, you also get a menu to edit, delete, or clone a string. |
||
Disable Case Sensitivity | Select this check box to disable case sensitivity for the filter comparisons. |
||
Computer Details | |||
List of Computers | In this section, click Add and enter the computer names that are associated with the events that you want to monitor or exclude from monitoring. You can add multiple computer names. In the list of computer names, beside a name, you also get a menu to edit, delete, or clone a name. |
||
Include/Exclude User List | Select one of the following options:
|
||
Disable Case Sensitivity | Select this check box to disable case sensitivity for the filter comparisons. | ||
Limit Event Subscriptions To | |||
Note: Any modification made to the configuration requires you to restart the PATROL Agent. Only 20 combinations of sources and event IDs are supported. |
|||
Event Sources | Enter a comma-separated list of event sources. Note: You must specify the event sources and IDs based on the filters that you have configured (using the List of Filters option) for the respective event log. |
||
Event IDs | Enter comma-separated list of event IDs or event range. For example: 100,1000-1010,500. |
Comments
folks - what is this part of the configuratin for?
"Limit Event Subscriptions To"
is this for subscriptions of the KM to the event log subsystem? or is this for a remote agent event log monitoring subscription and what it can pull?
Limit Event Subscriptions To is for subscriptions of the KM to the event log subsystem.
Log in or register to comment.