Event Log Rules


By using this option, you can monitor the various Windows and Windows Azure events. The events received will be displayed in the Windows Monitor details page.

Also, you can generate alarms in Applications Manager based on the configured rule. For e.g., when an event of type Error occurs in System Log, you can generate a critical alarm which will in turn affect the health of the Windows or Azure Monitor.

Browse through the following topics to understand Event Log Configuration:

  • Adding a new Trace Log rule
  • Adding a new Diagnostic Infrastructure Log rule

Note:
Event Log Monitoring is available in Windows Installations and only in WMI mode of monitoring only.

Event Logs Rules Configuration:

For receiving windows events, you have to configure Event Log Rules. You can get notified by the events from the following Log Files:

  • Application (By default Event Log rule is configured for any Application Error)
  • System
  • Security (By default Event Log rule is configured for any Security Failure)
  • File Replication Service
  • DNS Server
  • Directory Service
  • Adding a new Event Log File
    • To add new event log file other than what are available by default, click the option "Add New Event Log" in the right hand bottom corner of the web client.
  • Adding a new event log from the Admin Server (Enterprise Edition)
    • Event Logs created in the Admin Server in your Enterprise setup is automatically synced to all the respective Managed Servers.
  • Deleting an Event Log
    • Click on the Delete Event log button at the top right corner of the event log box, to delete an event log that you have created.
  • Adding a new Event Log rule
  • Under Admin tab, click on Log Rules
  • Click on 'New Rule' for the required Log File type
  • Enter the Rule Name of your choice
  • Enter the Event ID associated with the Event Log File (not mandatory)
  • By clicking the Advanced Options checkbox, you can formulate the rule more specifically by associating:
    • Source - Application which created the event.
    • Category - Task Category which contains more information about the event.
    • User Name - System component or User account that was running the process which caused the event.
    • Description contains word or matches Regex: The description content of the incoming event, and if the Description contains a particular word. You can perform content check for regular expressions by checking the Regular Expressions checkbox. For e.g., select Log File as [System] and Event Type as [Error] , to get all events of type Error from System Log File.
    • The number of its occurrences in a poll.
    • Select the Log File Type (application, system, security, file replication service, DNS Server, directory service).
  • Choose the Event Type - Error, Warning, Information or Event of Any Type . In case of Security Events, the types would vary between Success Audit and Failure Audit.
  • Alarm severity can be set to 'Critical' or 'Warning' based on the following conditions :
    • Depending on the severity of the incoming event and when the event matches a certain number of consecutive polls
    • The matching event is not generated in the given time window
  • Alarm severity can be set to 'Clear' based on the following conditions :
    • If no matching event found for certain number of consecutive polls
    • If a matching event is generated
  • At the outset, you can Enable or Disable the rule.
  • You can set the rule to be applicable to:
    • All Monitors - All the monitors.
    • Specific Monitor Types - For e.g., Windows XP, Windows 7, Windows 8 and so on
    • Selected Monitors - You can select the monitors from a drop down menu or search for the required monitor to which the new rule must me applicable.
  • The new rule will be displayed in the LogFile rule window.
  • You can also enable, disable and delete one or more rules by selecting the rule(s) and clicking the Enable, Disable or Delete button.

Note:
The event logs added by default cannot be deleted.

Windows Azure Logs Rules Configuration:

You can monitor Windows Azure Trace logs and Diagnostic Infrastructure logs using Applications Manager. You must first configure Trace Log or Diagnostic Infrastructure log rules. The logs received will be displayed in the details page of the Windows Azure Role Instances. You can also generate alarms in Applications Manager based on the configured rule.

For e.g., when an event of type Error occurs in the System Log, you can generate a critical alarm. This alarm will, in turn, affect the Health of the Windows Azure Role Instance.

Here is how you can configure a new rule for Windows Azure:

  • Trace Logs
    • Click on New Rule at the right hand corner of the Trace Logs box.
    • In the Add New Rule for Windows Azure Trace Logs page, enter the name of the rule that you wish to create.
    • Enter the event id of the rule that you are creating
    • Enter the string that the message contains.
    • Select the event type: Any Type, Error, Warning or Information
    • You also have the option to set the severity of the alarm as critical or warning.
    • You can enable or disable the rule status.
    • Click on the Create Rule button.
    • The new rule wil be displayed in the Trace Logs.
    • You can edit the rules by clicking on the Edit Rule icon.
    • You can also enable, disable and delete one or more rules by selecting the rule(s) and clicking the Enable, Disable or Delete button.
  • Diagnostic Infrastructure Logs
    • Click on New Rule at the right hand corner of the Diagnostic Infrastructure Logs box.
    • In the Add New Rule for Diagnostic Infrastructure Logs page, enter the name of the rule that you wish to create.
    • Enter the Error Code of the rule that you are creating.
    • Enter the string that the message contains.
    • Enter the string that the Error Message contains.
    • Select the event type: Any Type, Error, Warning or Information.
    • You also have the option to set the severity of the alarm as critical or warning.
    • You can enable or disable the rule status.
    • Click on the Create Rule button.
    • The new rule will be displayed in the Diagnostic Infrastructure Logs.
    • You can edit the rules by clicking on the Edit Rule icon.
    • You can also enable, disable and delete one or more rules by selecting the rule(s) and clicking the Enable, Disable or Delete button.