Event Log Rules

By enabling the Log Rules option along with Event Log monitoring in the Add/Edit Monitor page of the Windows Server Monitor, you can monitor the various Windows events. The event that matches the log rules during the data collection process will be displayed on the Windows Monitor Details page.

Also, you can generate alarms in Applications Manager based on the configured rule. For e.g., when an event of type Error occurs in System Log, you can generate a critical alarm which will in turn affect the health of the Windows monitor.

Note: Event Log Monitoring is available in Windows Installations and only in WMI mode of monitoring only.

Event Logs Rules Configuration

For receiving Windows events, you have to configure Event Log Rules. You can get notified by the events from the following log files:

  • Application (By default, Event Log rule is configured for any Application Error)
  • System
  • Security (By default Event Log rule is configured for any Security Failure)
  • File Replication Service
  • DNS Server
  • Directory Service

Adding a new Event Log File

To monitor event log file types which are not present by default in APM, follow the steps:

  • Navigate Settings -> Log Rules -> "Add New Event Log" in the right hand bottom corner of the web client.
  • To find out the Event Name, go to Event Viewer and right click on Event Name
  • Select Properties and copy the value in the Full Name or Display Name or Log Name field in General tab. You can use this value to add or edit an Event log name.

 

Adding a new event log from the Admin Server (Enterprise Edition)

Event Logs created in the Admin Server in your Enterprise setup is automatically synced to all the respective Managed Servers.

Deleting an Event Log

Click on the Delete Event log button at the top right corner of the event log box, to delete an event log that you have created.

Adding a new Event Log rule

  1. Under Settings tab, click on Log Rules
  2. Click on New Rule for the required Log File type.
  3. Enter the Rule Name of your choice
  4. Enter the Event ID associated with the Event Log File (not mandatory)
  5. By clicking the Advanced Options checkbox, you can formulate the rule more specifically by associating:
    • Source - Application which created the event.
    • Category - Task Category which contains more information about the event.
    • User Name - System component or User account that was running the process which caused the event.
    • Description contains word or matches Regex: The description content of the incoming event, and if the Description contains a particular word. You can perform content check for regular expressions by checking the Regular Expressions checkbox. For e.g., select Log File as [System] and Event Type as [Error] , to get all events of type Error from System Log File.
    • The number of occurrences in a poll.
    • Select the Log File Type (application, system, security, file replication service, DNS Server, directory service).
  6. Choose the Event Type - Error, Warning, Information or Event of Any Type . In case of Security Events, the types would vary between Success Audit and Failure Audit.
  7. Alarm severity can be set to 'Critical' or 'Warning' based on the following conditions :
    • Depending on the severity of the incoming event and when the event matches a certain number of consecutive polls
    • The matching event is not generated in the given time window
  8. Alarm severity can be set to 'Clear' based on the following conditions :
    • If no matching event found for certain number of consecutive polls
    • If a matching event is generated
  9. At the outset, you can Enable or Disable the rule.
  10. You can set the rule to be applicable to:
    • All Monitors - All the monitors.
    • Specific Monitor Types - For e.g., Windows XP, Windows 7, Windows 8 and so on
    • Selected Monitors - You can select the monitors from a drop down menu or search for the required monitor to which the new rule must me applicable.
  11. Finally, click the Create Rule button.

The new rule will be displayed in the LogFile Rule window. You can also enable, disable and delete one or more rules by selecting the rule(s) and clicking the Enable, Disable or Delete button.

Note:
The event logs added by default cannot be deleted.