Event log specification parameters
Following are the optional parameters section of the event log specifications. Each event log on the system is identified, along with the default facility used for any message associated with the particular log. Additionally, each log can have a series of UseFacility and UseSeverity statements, each associated with MatchKeyWord values. Permitting you to fine-tune the Facilities and Severities of messages. The following directives are supported.
One agent can configure a maximum of fifty different event log and log file monitor specifications.
EventLog | The name of a Windows Event Log, either Application, System, Security, or some other event log name that appears in the Microsoft Local Event Viewer Program follow this directive. All the directives that follow, delineated by the next EventLog or LogFile directive, apply to the specified EventLog. |
Formatter | This directive (if it is present) can be used to specify or change the formatting of event log messages for the particular event log. (Generally, this setting should not be specified and is available for system level debug. Contact BMC Support for specific information on this topic.) |
DefaultFacility | The EventLog directive must precede this directive. The value specifies a facility name (or an official facility number between 0–23) that identifies the default facility code used in all messages logged to the specified EventLog. |
DefaultSeverity | The EventLog directive must precede this directive. The value specifies a severity name that identifies the default severity code used in all messages, logged to the specified EventLog. This directive can be a number between 0=emergency and 7=debug, or can be an official severity name, or can be one of the special values of auto or disabled. The value of auto indicates that the severity gets automatically set according to the built-in type of event message. The value of disabled indicates that no messages get sent unless the message specifically matches a MatchKeyWord directive. |
UseFacility | This directive might follow the DefaultFacility directive and is followed by one or more MatchKeyWord directives. This directive starts a series of match patterns, any of which causes the UseFacility value to get specified as the message facility. This provides a way of using a facility based on the content of a message. The value must specify a facility name (or an official facility number between 0–23) that identifies the facility to be used if any of the match patterns that follow are satisfied. This directive is not meaningful unless immediately followed by one or more MatchKeyWord directives, described further. Multiple UseFacility directives, each followed by multiple MatchKeyWord directives, can be configured. |
UseSeverity | This directive is similar to the UseFacility directive but affects the message severity instead of the facility code. This directive starts a series of match patterns, any of which causes the UseSeverity value to get specified as the message severity. The value must specify a severity name (or an official facility number between 0–7, or the special disabled severity, or a -1 value) that identifies the severity to use if any of the match patterns that follow are satisfied. This directive is not meaningful unless immediately followed by one or more MatchKeyWord directives. Multiple UseSeverity directives, each followed by multiple MatchKeyWord directives, can be configured. |
MatchKeyWord | This directive is nested within a UseFacility or UseSeverity directive and specifies a single match keyword, with possible * or ? wildcards. If the message content contains the match pattern, then the related severity or facility is used. Multiple patterns can be specified, without limit. Any other directive ends the MatchKeyWord list, so the MatchKeyWord directives must all be contiguous within a single UseFacility or UseSeverity block. |
Monitoring application and service Event Logs
On Windows 2008 and Windows 2012 systems, in addition to the standard event logs (such as Security, System, and Application) The operator can add an application EventLog to the system via the EventLog field by specifying the official name of the event log. This name is available on Windows 2008, 2012, and other post-Vista systems using the wevtutil.exe program at a command prompt as follows:
The preceding command displays an enumerated list of all application logs on the system. Any name can be added as an Event log specification (without the Microsoft-Windows -prefix). When entered as an EventLog specification, the application log polls for changes approximately once every 30 seconds, detecting a maximum of 100 new messages per poll cycle.
These EventLog strings include (but are not limited to) text strings such as any of the following:
PrintService/Admin
PrintService/Operational
SystemHealthAgent/Diagnostic
TaskScheduler/Debug
TaskScheduler/Operational
Windows Defender/Operational
Windows Firewall With Advanced Security/Firewall
Notes on Event Log specifications
As shown in Event log specification parameters, each event log has a DefaultFacility, followed by multiple optional UseFacility and UseSeverity statements. Each UseFacility and UseSeverity statement can have multiple MatchKeyWord statements. This provides a simple way to configure facilities and severities for any particular message.
If the DefaultSeverity directive sets to auto, then the default severity of messages depends upon the Windows event log Message Type field, as follows:
- Event Log Error Type—Any event log message of this type is by default assigned a syslog severity of the error.
- Event Log Warning Type—Any event log message of this type is by default assigned a syslog severity of warning.
- Event Log Info Type—A message logged to the system log of this type is assigned a syslog severity of notice. A message logged to any other log is assigned a syslog severity of info.
- Event Log Audit Success—A message logged to the security log of this type is assigned a syslog severity of notice.
- Event Log Audit Failure—A message logged to the security log of this type is assigned a syslog severity of the error.
The preceding default severities can be overridden by the UseSeverity statement as discussed. Experience shows that the preceding mapping is entirely satisfactory for the vast majority, or perhaps all, of the event log messages generated by a Windows platform, for most applications.
It is quite possible (and even likely) that messages content might match multiple UseFacility or UseSeverity statements. In that case, the following rules apply:
If a message matches multiple UseSeverity statements, then the severity that actually uses can be the highest severity (actually the lowest number) of any severity matches.
Likewise, if a message matches multiple UseFacility statements, then the facility with the highest number facility code is used as the facility in the transmitted message. If no facility is matched, but a severity matches, then the DefaultFacility is used.
Related topic