Event log configuration entries

The event log (EventLog) configuration entries are optional. Each event log on the system is identified with the default facility used for any message associated with the particular log. Each log can also have a series of UseFacility and UseSeverity statements, each associated with MatchKeyWord values, so that you can fine-tune the Facilities and Severities of messages.

One agent can configure up to fifty different event log and log file monitor specifications.

Note

You can distribute the fifty specifications in any way between the event log specifications and the log file specifications, but the total number of specifications cannot exceed fifty specifications total.

The following configuration entries are supported.

Parameter	Description
EventLog	Name of a Windows event log, either application, system, security, or some other event log name that appears in the Microsoft Local Event Viewer Program All the directives that follow, delineated by the next EventLog or LogFile directive, apply to the specified event log. Note On Windows 2008 and later systems, you might also specify a Windows Application Log, in addition to the standard event log. (See following additional notes.)
Formatter	If present, formatting of event log message for the specified log This configuration entry can specify or change the formatting. Note This entry is available for system-level debugging. Contact BMC Support for specific information on this topic.
DefaultFacility	Default facility code used in all messages that are logged to the specified event log The value can be a facility name, or an official facility number from 0 through 23. This entry must come after the EventLog entry.
DefaultSeverity	The value specifies a severity name that identifies the default severity code used in all messages, logged to the specified EventLog. This directive can be a number between 0=emergency and 7=debug, or can be an official severity name, or can be one of the special values of auto or disabled. The value of auto indicates that the severity gets automatically set according to the built-in type of event message. The value of disabled indicates that no messages get sent unless the message specifically matches a MatchKeyWord directive. This entry must come after the EventLog entry.
UseFacility	This directive starts a series of match patterns, any of which causes the UseFacility value to get specified as the message facility. This provides a way of using a facility based on the content of a message. The value must specify a facility name (or an official facility number between 0–23) that identifies the facility to be used if any of the match patterns that follow are satisfied. This entry must come after the DefaultFacility entry and be followed by one or more MatchKeyWord entries. You can specify multiple UseFacility entiries, each followed by one or more MatchKeyWord entries.
UseSeverity	This directive is similar to the UseFacility directive but affects the message severity instead of the facility code. This directive starts a series of match patterns, any of which causes the UseSeverity value to get specified as the message severity. This directive identifies the severity to use if any of the match patterns that follow are satisfied. The value can be any of the following: A severity name An official facility number between 0–7 The special disabled severity -1 This entry must come after the DefaultFacility entry and be followed by one or more MatchKeyWord entries. You can specify multiple UseSeverity entiries, each followed by one or more MatchKeyWord entries.
MatchKeyWord	This directive is nested within a UseFacility or UseSeverity directive and specifies a single match keyword, with possible * or ? wildcards. If the message content contains the match pattern, then the related severity or facility is used. Multiple patterns can be specified, without limit. Any other directive ends the MatchKeyWord list, so the MatchKeyWord directives must all be contiguous within a single UseFacility or UseSeverity block.

Monitoring application and service Event Logs

On Windows 2008 and Windows 2012 systems, in addition to the standard event logs (such as Security, System, and Application) The operator can add an application EventLog to the system via the EventLog field by specifying the official name of the event log. This name is available on Windows 2008, 2012, and other post-Vista systems using the wevtutil.exe program at a command prompt as follows:

C:> wevtutil.exe el

The preceding command displays an enumerated list of all application logs on the system. Any name can be added as an Event log specification (without the Microsoft-Windows -prefix). When entered as an EventLog specification, the application log polls for changes approximately once every 30 seconds, detecting a maximum of 100 new messages per poll cycle.

These EventLog strings include (but are not limited to) text strings such as any of the following:

Notes

This feature requires the wevtutil library, hence is not applicable on 2003 or XP (or potentially other) Windows OS configurations. These logs must contain a / forward slash in their name, such as /Admin, /Operational, /Debug, /Diagnostic. (A Microsoft-Windows prefix can be specified with the log name, but ignored by the agent.)
This can cause certain performance problems if overused.

DriverFrameworks-UserMode/Operational
PrintService/Admin
PrintService/Operational
SystemHealthAgent/Diagnostic
TaskScheduler/Debug
TaskScheduler/Operational
Windows Defender/Operational
Windows Firewall With Advanced Security/Firewall

Notes on Event Log specifications

As shown in Event log specification parameters, each event log has a DefaultFacility, followed by multiple optional UseFacility and UseSeverity statements. Each UseFacility and UseSeverity statement can have multiple MatchKeyWord statements. This provides a simple way to configure facilities and severities for any particular message.

If the DefaultSeverity directive sets to auto, then the default severity of messages depends upon the Windows event log Message Type field, as follows:

Event Log Error Type—Any event log message of this type is by default assigned a syslog severity of the error.

Event Log Warning Type—Any event log message of this type is by default assigned a syslog severity of warning.

Event Log Info Type—A message logged to the system log of this type is assigned a syslog severity of notice. A message logged to any other log is assigned a syslog severity of info.

Event Log Audit Success—A message logged to the security log of this type is assigned a syslog severity of notice.

Event Log Audit Failure—A message logged to the security log of this type is assigned a syslog severity of the error.

The preceding default severities can be overridden by the UseSeverity statement as discussed. Experience shows that the preceding mapping is entirely satisfactory for the vast majority, or perhaps all, of the event log messages generated by a Windows platform, for most applications.

It is quite possible (and even likely) that messages content might match multiple UseFacility or UseSeverity statements. In that case, the following rules apply:

If a message matches multiple UseSeverity statements, then the severity that actually uses can be the highest severity (actually the lowest number) of any severity matches.

Example

If a message matches two UseSeverity statements, one is info, and other one is critical, then the critical severity is used in the transmitted message.

Likewise, if a message matches multiple UseFacility statements, then the facility with the highest number facility code is used as the facility in the transmitted message. If no facility is matched, but a severity matches, then the DefaultFacility is used.

Event log configuration entries

Monitoring application and service Event Logs

Notes on Event Log specifications

On this page