Monitoring Windows Event Logs

The Event Log is a Windows service that logs about program, security, and system events occurring in Windows devices. The events can be related to some application, system or security. You can monitor these events using OpManager and configure to generate alarms when critical events are logged. OpManager uses WMI to fetch the details of these logs and hence you need to provide the log on details of a user with administrative privilege to connect to the Windows machine.

You can view the list of all events monitored by OpManager, by clicking Event Log Rules under the Admin tab.

Monitoring Windows Events in a Device

To monitor Windows events, you need to associate the event log monitors with the device. To do so, follow the steps given below:

  1. Go to the device snapshot page.
  2. From the Actions menu, click Event Log Rules.
  3. Select the event logs to be monitored in the device.
  4. Change the Polling Interval if necessary. During each poll, the selected event logs are compared with the events logged in the device and for the matching events, alarms are generated.
  5. Click Save to save the changes.

Using the Quick Configuration Wizard

Alternatively, you can associate an event log rule with many devices at a time using Quick Configuration wizard.

  1. From the Admin tab, select Quick Configuration Wizard.
  2. Select the option Associate Event log rules to several devices and click Next.
  3. Select the log file from the displayed list.
  4. Select any one rule from the list of rules shown. Click Next.
  5. Select the devices on which you want to monitor the event logs from the column on the left and move them to the right.
  6. Click Finish. The event log monitor is associated to the selected devices.

Creating an Event Log Monitor

To create an event log monitor, follow the steps given below:

  1. Under the Admin tab, click Event Log Rules.

    In this page, you can see the rules supported by OpManager. They are categorized into Applications, Security, System, DNS Server, File Replication Service, and Directory Service. You can add the event logs that you want to monitor under any of these categories.

  2. Click New Rule under any one of the categories to add a rule in it.

    Entries to all the fields except Rule Name are optional. Event ID is a required field to identify the event but can be left empty in few exceptional cases, such as you want to monitor all events that are of the Event Types, say, error or information. Here the filter will be based on the Event Type.

    1. Type a unique Rule Name.

    2. Enter the Event ID to be monitored. This is the unique identifier for the event logs.

    3. Enter the event Source. This is the name of the software that logs the event.

    4. Enter the event Category. Each event source defines its own categories such as data write error, date read error and so on and will fall under one of these categories.

    5. Type the User name to filter the event log based on the user who has logged on when the event occurred.

    6. Choose the Event Types to filter the event logs based on its type. This will typically be one among Error, Warning, Information, Security audit success and Security audit failure.

    7. Enter the string to be compared with the log message. This will filter the events that contains this string in the log message.

    8. By default OpManager raises an alarm if the event occurs. However, you can configure the no. of consecutive times the event can occur within the specified no. of seconds, to raise an alarm.
    9. Choose a severity for the alarm generated in OpManager for this event.
  3. Click Add Rule to save the event log rule.

Monitoring Custom Event Logs

You can monitor event logs under a custom category too. Some applications log the events in a new category other than the default System/Applications/Security category. You can now configure rules in OpManager to parse the events in such custom categories and trigger corresponding alerts in OpManager. Here are the steps:

  1. Go to Admin > Event Log Rules > Add Custom Event log (you will find this option on the top right corner on this screen).
  2. Select a device from which you can query for the event categories and hit Query Device. The custom logs in the selected device are listed. As an alternative, you can add custom events category and define rules.
  3. After you add the custom event category, you will find the category listed under Admin > Event Log Rules. Go on to add new rules to parse the events falling under this category.

You can now associate the rules (default or custom event logs) to the required devices.

Copyright © 2012, ZOHO Corp. All Rights Reserved.
Network Monitoring Software from ManageEngine