Monitoring Windows Event Logs

The Event Log is a Windows service that logs about program, security, and system events occurring in Windows devices. The events can be related to some application, system or security. You can monitor these events using OpManager and configure to generate alarms when critical events are logged. OpManager uses WMI to fetch the details of these logs and hence you need to provide the log on details of a user with administrative privilege to connect to the Windows machine.

You can view the list of all events monitored by OpManager, Go to Settings > Monitoring > Event Log Rules

Monitoring Windows Events in a Device

To monitor Windows events, you need to associate the event log monitors with the device. Before configuring Event Log monitors in OpManager, ensure that you have sufficient permissions to read eventlogs from the end device, especially if you are a non-admin user (visit this KB article to know more).

Once you have ensured you have the necessary permissions, follow the steps given below:

  1. Go to the device snapshot page.
  2. Click Monitors > EventLog Monitors > Add Monitor.
  3. Select the event logs to be monitored in the device.
  4. Click Associate to add the selected monitors to the device.

Note: The Monitoring Interval checkbox must be enabled. If disabled, all the event log monitors associated with the device will be disabled and they will not work although they are associated to the device.

Creating an Event Log Monitor

To create an event log monitor, follow the steps given below:

  1. Go to Settings > Monitoring > Event Log Rules
    In this page, you can see the rules supported by OpManager. They are categorized into Applications, Security, System, DNS Server, File Replication Service, and Directory Service. You can add the event logs that you want to monitor under any of these categories.

  2. Click Add New Rule under any one of the categories to add a rule.
    Entries to all the fields except Rule Name are optional. Event ID is a required field to identify the event but can be left empty in few exceptional cases, such as you want to monitor all events that are of the Event Types, say, error or information. Here the filter will be based on the Event Type.

    1. Select the Log File Name.

    2. Type a unique Rule Name.

    3. Enter the Event ID to be monitored. This is the unique identifier for the event logs.

    4. Enter the event Source. This is the name of the software that logs the event.

    5. Enter the event Category. Each event source defines its own categories such as data write error, date read error and so on and will fall under one of these categories.

    6. Type the User name to filter the event log based on the user who has logged on when the event occurred.

    7. Choose the Event Types to filter the event logs based on its type. This will typically be one among Error, Warning, Information, Security audit success and Security audit failure.

    8. Description Match Text : Enter the string to be compared with the log message. This will filter the events that contains this string in the log message.

      You can also use Regular Expressions (RegEx) to specify the match criteria for this field. For example, consider an Eventlog description that reads "Check whether any firewall is blocking". Below are some examples of how you can form RegEx patterns for this message:

      Condition Logic used RegEx pattern Actual RegEx
      Contains both "Check" and "any" AND (?=.*XXX)(?=.*YYY) (?=.*Check)(?=.*any)
      Contains either "blocking" or "firewall" OR (XXX)|(YYY) (blocking)|(firewall)
      Not contains "firewall" NOT ^(?!.*XXX).*$ ^(?!.*firewall).*$

    9. Generate Alarm if event is raised : By default OpManager raises an alarm if the event occurs. However, you can configure the no. of consecutive times the event can occur within the specified no. of seconds, to raise an alarm.
    10. Choose a severity for the alarm generated in OpManager for this event.
  3. Click OK to save the event log rule.

Monitoring Custom Event Logs

You can monitor event logs under a custom category too. Some applications log the events in a new category other than the default System/Applications/Security category. You can now configure rules in OpManager to parse the events in such custom categories and trigger corresponding alerts in OpManager. Here are the steps:

  1. Go to Settings > Monitoring > Event Log Rules 
  2. Click Add Custom Event log 
  3. Select a device from the drop-down on which you can query for the event categories.
  4. Provide the WMI details User Name and Password of the device.
  5. List logs that were created in last Configure the time to list the logs and Click Query Device 
  6. The custom logs in the selected device are listed. Select a log from Discovered Log Files and click OK 

You can now associate the rules (default or custom event logs) to the required devices.