Skip to Content

Configuring Windows Remote Monitoring


Warning

Note

Local monitoring is disabled by default unless a monitoring profile is configured explicitly for local monitoring. Thus, if only a remote monitoring profile is configured, local monitoring is not available. 

On the Add Monitoring Configuration window, set the following preferences:

Monitoring Solution

Monitor Profile

Monitor Type

Microsoft Windows Servers

Remote Monitoring

Windows Remote Monitoring

Provide the following details:

Field

Description

Remote Host Configuration

Click Add to add remote host configurations.

Host Details

Remote host names

Host Names/File Path

Enter the host name of the server in any of the following ways:

  • A single host name or IP address.
  • A comma-separated list of host names or IP addresses that allows you to apply the same configuration across multiple hosts.
  • A file (.txt or .csv) containing a list of host names or IP addresses, which allows you to configure multiple hosts with the same configuration. Make sure you provide the absolute path to this file.
    For example, the file path can be C:\PROGRA~2\BMCSOF~1\Patrol3\log\WinProductionHosts.txt or %PATROL_HOME%\log\WinProductionHosts.txt.
    • The file must contain a list of comma-separated host names or IP address information (with or without publish hostnames) with common credentials. 
    • The file must be located on the host that is running the PATROL Agent. The BMC PATROL default account must have read permission on the directory where the file is located. The _ConfigStatus attribute indicates errors related to the input file.
  • A combination of the options listed above.
Warning

Important

  • You can add a publish host name to represent the host with a different host name or when the Fully Qualified Domain Name (FQDN) of the remote host cannot be retrieved. The publish host name should be added in the <host name>;<publish_hostname> format. This format can be used in any of the preceding options.
  • If you modify the file, restart the BMC PATROL Agent to apply the changes.

Authentication Type

Select the type of authentication for adding the remote host.

  • Negotiate: Negotiate is selected for local computer accounts. In this option, the client sends a request to the server to authenticate. The user name should be specified as username for a local user on the server.
  • Kerberos:  Kerberos is selected to authenticate a domain account. In this option, the client and server mutually authenticate using Kerberos tickets. The user name should be specified as domain\username for a domain user.

Connection Protocol

Select the type of connection protocol for adding the remote host.

  • HTTP
  • HTTPS

Port Number

Enter the remote host port number.  By default, the port number is set to 5985 for HTTP and 5986 for HTTPS.

Reconnect Interval

This field has been introduced to enable the KM to auto-reconnect to the remote host in case of access denied error due to server restart.

If you want the KM to auto-reconnect to the remote host, enter a value greater than the collection interval of the _Status parameter. By default, the collection interval is 1 minute.

0 indicates the KM will not auto-reconnect if the _Status parameter displays an Access denied error. 

Warning

Important

This might increase the probability of account lockout if the access denied error is genuine and not because of server restart. Consider your account lockout policy before entering this value. 

Reconnect_interval.png

User Credentials

User Name

Enter the user name to connect to the remote host. To use the PATROL Agent default account, use $USERNAME and ensure that the default account is saved in the /AgentSetup/DefaultAccount pconfig variable of the PATROL Agent or configure the default account at the following location - Create Monitoring Policy > Agent > Agent Default Account.

Agent_default_account.png

Password

Enter the common password of the hosts added in the Host Names/File Path field.

Confirm Password

Reconfirm the password that you entered in the field above.

Monitor Configuration

Operating System Monitoring

Monitoring options

Specify one of the following options:

  • Disable OS Monitoring: This option disables both Standard and Advance monitoring options. You can select this option when you want to use only the Custom monitoring.
  • Standard Monitoring: This option enables all Standard monitors by default and cannot be disabled. It does not monitor any advanced monitoring options.
  • Advance Monitoring: This option monitors both Windows Standard and Windows advanced configurations. Advance monitors need to be enabled explicitly. You can enable and disable all the configuration types.

Advanced Monitor Configuration

Memory

Select this checkbox to enable Memory monitoring

Cache

Select this checkbox to enable Cache monitoring.

System

Select this checkbox to enable System monitoring.

Health Configuration


Health

Select this checkbox to enable Health monitoring.

CPU Configuration

Enable Annotation for 'Total processor utilization'

Select this checkbox to enable annotation. Annotation refers to additional details about specific processes that consume the most CPU resources.

CPU Threshold for Annotation (%)

Enter the CPU threshold (in percentage) to generate the annotation. The annotation displays the top 10 processes consuming the highest CPU resources on the system.

The default value for the CPU threshold is 80%.

Warning

Important

In BHOM, you can create an alarm policy based on the metric value of the Total processor utilization parameter.

Warning

Important

To generate annotations based on the parameter, you must enable the BHOM Annotation feature.

Memory Configuration

Enable Annotation for 'Memory usage'

Select this checkbox to enable annotation. Annotation refers to additional details about specific processes that consume the most memory resources.

Memory Threshold for Annotation (%)

Enter the memory threshold (in percentage) to generate the annotation. The annotation displays the top 10 processes consuming the highest memory resources on the system.

The default value for the memory threshold is 80%.

Warning

Important

In BHOM, you can create an alarm policy based on the metric value of the Memory usage parameter.

Warning

Important

To generate annotations based on the parameter, you must enable the BHOM Annotation feature.

Processor Configuration

Processor

Select this checkbox to enable Processor monitoring.

Exclude Criteria

Enter a comma-separated list of processor instances that you want to exclude from monitoring. Wildcard characters are not supported.

For example: 0,1,2.

If you leave this field blank, none of the CPU instances is excluded, and the field is ignored.

Include Criteria

Enter a comma-separated list of processor instances that you want to include for monitoring. Wildcard characters are not supported.

For example: 0,1,2.

If you leave the field blank, all instances are monitored.

Network Configuration

Exclude Criteria

Enter a comma-separated list of network interface instances that you want to exclude from monitoring.

For example: Local Area Connection,6TO4 Adapter

Include Criteria

Enter a comma-separated list of network interface instances that you want to include for monitoring.

For example: Local Area Connection,6TO4 Adapter

Physical Disk Configuration

Exclude Criteria

Enter a comma-separated list of physical disk instances to exclude from monitoring.

For example: 0,1,2

Include Criteria

Enter a comma-separated list of physical disk instances to include for monitoring.

For example: 0,1,2

Logical Disk Configuration

Exclude Criteria

Enter a comma-separated list of logical disk instances to exclude from monitoring.For example: C:,D:,E:

Include Criteria

Enter a comma-separated list of logical disk instances to include for monitoring.

For example: C:,D:,E:

Page File Configuration

Exclude Criteria

Enter a comma-separated list of paging file instances that you want to exclude from monitoring.

For example: _Total,C:\pagefile.sys.

Include Criteria

Enter a comma-separated list of paging file instances that you want to include for monitoring.

For example: _Total,C:\pagefile.sys.

Process Configuration

List of Processes

Click Add to configure the process manually. 

Process Specification

Configure Process Monitoring 

Process Label

Enter a label to identify a group of processes. The input that you specify must match the regular expression pattern, '^[0-9a-zA-Z_]+$'.

Process Name

Enter a name or a regular expression pattern that matches the names of processes that must be monitored. Enter only the process name without extension.

For example, if the process name is Notepad, enter Notepad. Do not enter Notepad.exe.

Use Regular Expression for Process Name

Select this checkbox to monitor all the processes that contain the process name specified.

Process Arguments

Enter the command line arguments for the processes that you want to monitor.

  • To monitor a specific process, enter the process arguments.
  • To monitor all the instances of the same process, enter wildcard asterisk ( * )
  • If the process argument field is left blank, only the process with no arguments will be monitored.

Example:

C:\Windows\system32\svchost.exe -k NetworkService 
Here, C:\Windows\system32\svchost.exe is considered as no arguments and -k NetworkService is considered as argument.

Use Regular Expression for Process Argument

Select this checkbox to enter process command line arguments by using a regular expression pattern.

Minimum Count

Enter a value that will trigger an alarm when the process count falls below this value.

Maximum Count

Enter a value that will trigger an alarm when the process count rises above this value.

Acceptable Process Owner

Enter a name or regular expression pattern that matches the name of the acceptable process owner.

Use Process Owners for Filtering

Select this checkbox to filter processes based on the process owners.

Process Settings  

Generate alarm on Process stop

Select this checkbox to generate an alarm when the process stops.

Generate alarm on Process start

Select this checkbox to generate an alarm when the process starts.

Restart Command

Enter the command that would be used to restart a stopped process.

Time to terminate runaway Process

Enter the time for which a process is retained and not terminated when the CPU usage for the process exceeds the defined maximum CPU threshold. After the specified time, the process is terminated. The time that you enter must match the following regular expression pattern - ^[0-9]+$.

Automatic Process Monitoring

Disable Automatic Process Monitoring

Select this checkbox to disable the default monitoring of processes.

Warning

Important

By default, all the processes for which you would configure CPU threshold and time duration are monitored. You can configure CPU threshold and time duration by using the CPU Threshold in % and Time Duration in secs fields.


CPU Threshold in %

Enter the CPU threshold (in percentage) for automatic process monitoring. The value that you enter must match the following regular expression pattern - ^[0-9]+$.By default, this value is set to 90.

Time Duration in secs

Enter the time limit (in seconds) to start the automatic process monitoring. The input that you specify must match the regular expression pattern, '^[0-9]+$'. By default, this value is set to 300.

Service Configuration

Warning

Important

With 5.0.00 version, exclude operation is independent of the include operation. You can use Exclude Services to exclude objects, regardless of any include rules specified in the Include Services option.

You can now create a policy with Service Exclusions only.

Disable Automatic Restart

Select this checkbox to disable the automatic restart of the monitored services.

Disable Alert For Paused Services

Select this checkbox to disable alerts for the paused services.

List of Included Services

Click Add to add a list of services to monitor.

Service Details

Generate an Alarm/Warning when service is stopped

By default, when a service is stopped, the PATROL Agent generates an alarm. However, for a particular service, you can specify a Warning instead. This feature is available for the services with a startup type of Automatic only.

Alert State

Select one of the following options to define the type of alert that you want to raise when the service stops:

  • Alarm
  • Warning

Restart service when stopped

Select this checkbox to restart a stopped service.

Enable process monitoring for the services

Select this checkbox to monitor the processes that are associated with the configured service.

By default, the PATROL Agent monitors only whether services are available. To monitor how much memory and CPU a service executable consumes, you must enable process monitoring for the service. When you enable process monitoring, the PATROL Agent monitors the service executable process and displays the monitored process beneath the NT_SERVICE application.

Use command line for non-responsive services

Select this checkbox to use the command line and enter the command line in the Command line field. This option is used for the non-responsive services.

Command line

Enter the command line name.

Service Name

Service Name

Enter the display name or service name that you want to monitor. Use regular expressions for the display name only.

If you enter the service name, clear the Use Display Name check box.

The KM uses \| characters for OR operation instead of | character.

Example:

  • ^Windows.*\|^Application.*
  • ^Device Association.*\|^Device Setup.*

Use Display Name

By default, this checkbox is selected. If you have entered a service name in the Service Name field, clear this check box. 

Service Startup Type

Automatic

Select this checkbox to monitor the services with Automatic Startup Type. This checkbox is enabled by default.

Warning

Important

If you use BMC PATROL for Microsoft Windows Servers 5.1, select this checkbox for the following Startup Types - Automatic, Automatic (Trigger Start), and Automatic (Delayed Start).

For BMC PATROL for Microsoft Windows Servers 5.1.10 and later, separate checkboxes are provided for trigger and delayed startup type services.

Automatic Delayed Start

Select this checkbox to monitor automatic delayed start type services.

Automatic Trigger Start

Select this checkbox to monitor automatic trigger start type services.

Manual

Select this checkbox to monitor the services with Startup Type as Manual, Manual (Trigger Start). This checkbox is enabled by default.

Disabled

Select this checkbox to monitor the services with Startup Type as Disabled.

Exclude Services

List of Excluded Services

Click Add to add a list of services that you do not want to monitor.

Service Name

Enter the display name or service name that you want to monitor. Use regular expressions for the display name only.

If you enter the service name, clear the Use Display Name checkbox.

Use Display Name

By default, this checkbox is selected. Clear this checkbox if you have entered a service name in the Service Name field. 

Event Log Configuration 

Event Log

Select this checkbox to enable Event Log monitoring. By default, all Windows event logs are monitored if they are registered in the Windows registry at the following location: 

HKLM\SYSTEM\CurrentControlSet\Services\Eventlog 

List of Event Logs

Click Add to configure the event logs. 

Log Name

Enter the event log name for which you want to create a filter.

List of Filters

Click Add to filter the event logs.

Name

Enter a unique name that represents the event filter, and follow these rules:

  • The filter name cannot exceed 127 characters.
  • The filter name cannot use the following format: user@domain.com. If this format is used for the filter name, the filter fails to filter events.

Description

Enter a short description of the filter you are creating. This is additional information regarding the filter, and you can change the description at any time.

Report/Notify

Select one of the following options, as appropriate:

  • Report the number of events that match the filter criteria during each collection period - If you select this option, PATROL monitors the number of events that match the filter criteria during each collection cycle. Depending on which event types the filter monitors, the following parameters are used to report this data:
    • Number of Error Events (ELMError)
    • Number of Failure Audit Events (ELMFailureAudit)
    • Number of Information Events (ELMInformation)
    • Number of Other Type Events (ELMOtherTypes)
    • Number of Events (ELMStatus)
    • Number of Success Audit Events (ELMSuccessAudit)
    • Number of Warning Events (ELMWarning)
  • Notify immediately when an event matches the filter criteria - If you select this option, PATROL immediately changes a parameter to an alarm state when an event matches the filter criteria.Depending on which event types the filter monitors, the following parameters are displayed in an alarm state when an event matches the filter:
    • Notifications of Error Events (ELMErrorNotification)
    • Notifications of Failure Audit Events (ELMFailureAuditNotification)
    • Notifications of Warning Events (ELMWarningNotification)
    • Notifications of Windows Events (ELMNotification)
      (This parameter is active only when you have selected both of the option, Notify immediately and consolidate event types.

Source Details

Click Add to configure the source name. 

  • NameSpecify the event log source name or regular expression.
  • OK: Click to save the configuration.
  • Cancel: Click to close the dialog.

Use name as a regular expression

Select this checkbox if you have specified a regular expression in the Name field.

Disable case sensitivity

Select this checkbox to disable case sensitivity for the source filtering.

You can specify whether to make filter comparisons in a case-independent manner for the source, user, category, and string options of a Windows event filter. To disable case-independent comparisons for any of the options, make sure that the corresponding Disable Case Sensitivity check box while configuring Windows event monitoring is cleared.

The /PSX_P4WinSrvs/PWK_PKMforMSWinOS_config/EventLogMonitoring/eventlog/EventFilters/filter/FilterDisableCase configuration variable stores information about case-sensitivity of the event filter options.

This variable has five-bit values, depending upon case sensitivity, one bit corresponding to each of Source, User, Category, String, and Computer name, respectively. If any bit value is 1, a case-independent filter comparison is made for the corresponding field.

Set this variable to any of the following values:

  • 00000 = none checked (default)
  • 11111 = all 5 categories checked
  • A combination of 0s and 1s, depending on which of the 5 categories were checked

To disable case-sensitivity in the event filters, set the value of the FilterDisableCase configuration variable to 00000.

Include/Exclude Source List


Select one of the following options, as appropriate:

  • Include all event sources in the list
  • Exclude all event sources in the list

Event Type Details

Event Types to Monitor

Select Windows event types to filter the events to monitor from the following:

  • Critical
  • Error
  • Warning
  • Information
  • Verbose
  • Success_Audit
  • Failure_Audit
  • Others

Consolidate event types when reporting

  • Select this option if you want various types of events (for example, Warning, Information, Error) to be reported by using one parameter, ELMStatus (or ELMNotification if you configured to be notified immediately when an error occurs while defining the Report/Notify option).
  • Clear this checkbox to have separate parameters for each event type that can raise alarms independently.

Event ID Details

Windows Event ID(s)

Select one or more multiple IDs in the following ways:

  • Single event ID. For example: 100
  • Comma-separated list of multiple event IDs. For example: 100,110,120
  • Range of event IDs. For example: 100-120
  • Regular expression. For example: 1[0-5]3

Use Event ID as a regular expression

Select this checkbox if you specified a regular expression in the Windows Event ID(s) field.

Include/Exclude Event ID List

Select one of the following options, as appropriate:

  • Include all event IDs in the list
  • Exclude all event IDs in the list

Event Handling

Annotate Graph parameter with event details

Select this checkbox to annotate event details to Graph parameters.

Write event details to a text parameter

Select this checkbox to add event details to text parameters.

Use event details for a recovery action

Select this checkbox to enable using the event details for recovery actions.

Report multiple events as a single event when the event occurs

Enter the number of events that must be reported as a single event depending on the value that you specify in the Time within seconds field.

By default, this value is set to 1.

Time within seconds

Enter the number of seconds that must be used for reporting multiple events as a single event.

By default, this value is set to 0.

Enter text automatic or Filter name to Acknowledge Alarm

Enter how you want to acknowledge the alarm raised by the event filter. Specify one of the following values:

  • automatic: If you specify automatic, then PATROL acknowledges alarms and returns the filter to an OK state if the filter criteria are not met during the most recent collection cycle. In other words, if the events you are monitoring do not occur during the collection cycle, the event filter state is changed back to OK. With this option, you are not actively monitoring for alarms; you might not notice when the monitored events occur because any alarms will be reset during the next collection cycle if the monitored events do not re-occur.

    Warning

    Important

    If you select Notify immediately when an event matches the filter criteria option, PATROL cannot acknowledge the alarm or return the filter to an OK state. PATROL keeps the filter in the alarm until an operator manually acknowledges the alarm.

  • filterName: If you specify the filter name, then PATROL changes the filter state from an alarm state to an OK state when the criteria of a second event filter are met. To use this option, you must create an event filter that monitors for the required event and that is configured to notify PATROL immediately when that filter criteria is met, and then specify the filter name in this field.

By default, this value is set to automatic.

Advanced Properties

List of Users

Click Add to configure user details. 

  • User Name: Enter the user name associated with the events that you want to monitor or exclude from monitoring.
  • OK: Click to save the configuration.
  • Cancel: Click to close the dialog.

Include/Exclude User List

Select one of the following options, as appropriate:

  • Include all users in the list - Specifies that all of the users in the list are monitored by the event filter. Select this option when you only want to monitor specific users.
  • Exclude all users in the list - Specifies that all the users except those in the list are monitored by the event filter. Select this option when you want to monitor all the users except for a few specific users that you want to exclude from the event filter.

List of Categories

Click Add to provide category details for the events that you want to monitor.

  • Category Name: Enter the category name associated with the events that you want to monitor or exclude from monitoring.
  • OK: Click to save the configuration.
  • Cancel: Click to close the dialog.

Include/Exclude Category List

Select one of the following options, as appropriate:

  • Include all categories in the list - This option specifies that all of the categories in the list are monitored by the event filter. Select this option when you only want to monitor specific categories.
  • Exclude all categories in the list—This option specifies that the event filter monitors all categories except those in the list. Select this option when you want to monitor all categories except for a few specific categories that you want to exclude from the event filter.

String Details

Click Add to provide string details associated with the events you want to monitor.

Include String

Enter the string associated with the events that you want to include for monitoring.

When entering a string that includes special characters that are used in regular expressions, such as a dollar sign ($), a period (.), a parenthesis (), or a slash (), you must escape each special character with a slash. For example, if the string is $Error, you must enter the string as \$Error.

  • OK: Click to save the configuration.
  • Cancel: Click to close the dialog.

Exclude String

Enter the string associated with the events that you want to exclude for monitoring.

When entering a string that includes special characters that are used in regular expressions, such as a dollar sign ($), a period (.), a parenthesis (), or a slash (), you must escape each special character with a slash. For example, if the string is $Error, you must enter the string as \$Error.

  • OK: Click to save the configuration.
  • Cancel: Click to close the dialog.

Computer Details

  • List of Computers:  Click Add to provide details regarding the computers associated with the events that you want to monitor.
  • Computer Name: Specify the computer associated with the events that you want to monitor or exclude from monitoring.
  • OK: Click to save the configuration.
  • Cancel: Click to close the dialog.

Include/Exclude User List

Select one of the following options, as appropriate:

  • Include all computers in the list - This option specifies that all of the computers in the list are monitored by the event filter. Select this option when you only want to monitor computers.
  • Exclude all computers in the list - This option specifies that the event filter monitors all computers except those in the list. Select this option when you want to monitor all computers except for a few specific computers that you want to exclude from the event filter.

Disable Case Sensitivity

Select this checkbox to disable case sensitivity for computer comparison.

WMI Monitors

  • List of Parameters: Click Add to add a list of WMI parameters that you want to monitor.
  • Parameter Name: Enter the WMI parameter name. For example, CDrive_FreeSpace.
  • Namespace: Enter the namespace you want to connect. By default, it is root\\cimv2.

  • WMI Query: Enter the WMI query. For example: select FreeSpace from win32_logicaldisk WHERE DeviceID='C:'

    Warning

    Important

    The WMI Query must return a numeric value.

  • Scaling Factor: Enter a value between 1 and 2147483647 to scale down a value that cannot be directly set to parameters, such as WMI queries that return a 64-bit integer value.

Raw Counter Data Configurations

  • Format Raw Counter Data: Select the checkbox to normalize and display formatted performance data for the raw counter. 

    Warning

    Important

    You can select this checkbox only for Win32_PerfRawData WMI classes. For more information, see  Performance counters supported through Win32_PerfRawData WMI class

  • Counter Type: Enter the counter type for the raw counter specified in the query. This is required only when the Format Raw Counter Data option is selected.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC PATROL for Microsoft Windows Servers 20.05