The Event Log is a Windows service that logs about program, security, and system events occurring in Windows devices. The events can be related to some application, system or security. You can monitor these events using OpManager and configure to generate alarms when critical events are logged. OpManager uses WMI to fetch the details of these logs and hence you need to provide the log on details of a user with administrative privilege to connect to the Windows machine.
You can view the list of all events monitored by OpManager, Go to Settings > Monitoring > Event Log Rules
To monitor Windows events, you need to associate the event log monitors with the device. Before configuring Event Log monitors in OpManager, ensure that you have sufficient permissions to read eventlogs from the end device, especially if you are a non-admin user (visit this KB article to know more).
Once you have ensured you have the necessary permissions, follow the steps given below:
Note: The Monitoring Interval checkbox must be enabled. If disabled, all the event log monitors associated with the device will be disabled and they will not work although they are associated to the device.
To create an event log monitor, follow the steps given below:
Go to Settings > Monitoring > Event Log Rules
In this page, you can see the rules supported by OpManager. They are categorized into Applications, Security, System, DNS Server, File Replication Service, and Directory Service. You can add the event logs that you want to monitor under any of these categories.
Click Add New Rule under any one of the categories to add a rule.
Entries to all the fields except Rule Name are optional. Event ID is a required field to identify the event but can be left empty in few exceptional cases, such as you want to monitor all events that are of the Event Types, say, error or information. Here the filter will be based on the Event Type.
Select the Log File Name.
Type a unique Rule Name.
Enter the Event ID to be monitored. This is the unique identifier for the event logs.
Enter the event Source. This is the name of the software that logs the event.
Enter the event Category. Each event source defines its own categories such as data write error, date read error and so on and will fall under one of these categories.
Type the User name to filter the event log based on the user who has logged on when the event occurred.
Choose the Event Types to filter the event logs based on its type. This will typically be one among Error, Warning, Information, Security audit success and Security audit failure.
Description Match Text : Enter the string to be compared with the log message. This will filter the events that contains this string in the log message.
You can also use Regular Expressions (RegEx) to specify the match criteria for this field. For example, consider an Eventlog description that reads "Check whether any firewall is blocking". Below are some examples of how you can form RegEx patterns for this message:
|Condition||Logic used||RegEx pattern||Actual RegEx|
|Contains both "Check" and "any"||AND||(?=.*XXX)(?=.*YYY)||(?=.*Check)(?=.*any)|
|Contains either "blocking" or "firewall"||OR||(XXX)|(YYY)||(blocking)|(firewall)|
|Not contains "firewall"||NOT||^(?!.*XXX).*$||^(?!.*firewall).*$|
You can monitor event logs under a custom category too. Some applications log the events in a new category other than the default System/Applications/Security category. You can now configure rules in OpManager to parse the events in such custom categories and trigger corresponding alerts in OpManager. Here are the steps:
You can now associate the rules (default or custom event logs) to the required devices.