# Event Log Rules By enabling the Log Rules option along with Event Log monitoring in the Add/Edit Monitor page of the Windows Server Monitor, you can monitor the various Windows events. The event that matches the log rules during the data collection process will be displayed on the Windows Monitor Details page. Also, you can generate alarms in Applications Manager based on the configured rule. For example, when an event of type Error occurs in System Log, you can generate a critical alarm which will in turn affect the health of the Windows monitor. **Note:** Event Log Monitoring is available in Windows installations and only in WMI mode of monitoring. ## Event Logs Rules Configuration For receiving Windows events, you have to configure Event Log Rules. You can get notified by the events from the following log files: - Application (By default, Event Log rule is configured for any Application Error) - System - Security (By default Event Log rule is configured for any Security Failure) - File Replication Service - DNS Server - Directory Service To monitor Event Logs in "Applications and Services Log", follow the steps provided in the [troubleshooting KB](https://pitstop.manageengine.com/portal/en/kb/articles/monitoring-event-logs-under-application-and-services-log). ### Adding a new Event Log File To monitor event log file types which are not present by default in APM, follow the steps: - Navigate **Settings -> Log Rules -> "Add New Event Log"** in the right hand bottom corner of the web client. - To find out the **Event Name**, go to **Event Viewer** and right click on **Event Name**. - Select **Properties** and copy the value in the **Full Name or Display Name or Log Name** field in the **General** tab. You can use this value to add or edit an Event log name. ### Adding a new event log from the Admin Server (Enterprise Edition) Event Logs created in the Admin Server in your Enterprise setup are automatically synced to all the respective Managed Servers. ### Deleting an Event Log Click on the Delete Event log button at the top right corner of the event log box to delete an event log that you have created. ### Adding a new Event Log rule 1. Under **Settings** tab, click on **Log Rules**. 2. Click on **New Rule** for the required Log File type. 3. Enter the **Rule Name** of your choice. 4. Enter the **Event ID** associated with the Event Log File (not mandatory). 5. By clicking the **Advanced Options** checkbox, you can formulate the rule more specifically by associating: - **Source** - Application which created the event. - **Category** - Task Category which contains more information about the event. - **User Name** - System component or user account that was running the process which caused the event. - **Description contains word or matches Regex**: The description content of the incoming event, and if the description contains a particular word. You can perform content check for regular expressions by checking the [Regular Expressions](https://www.manageengine.com/products/applications_manager/help/regular-expressions.html) checkbox. For example, select Log File as [System] and Event Type as [Error] to get all events of type Error from System Log File. - The **number of occurrences** in a poll. - Select the **Log File Type** (Application, System, Security, File Replication Service, DNS Server, Directory Service). 6. Choose the **Event Type** - **Error, Warning, Information**, or **Event of Any Type**. In case of Security Events, the types would vary between **Success Audit** and **Failure Audit**. 7. Alarm severity can be set to **Critical** or **Warning** based on the following conditions: - Depending on the severity of the incoming event and when the event matches a certain number of consecutive polls. - The matching event is not generated in the given time window. 8. Alarm severity can be set to **Clear** based on the following conditions: - If no matching event is found for a certain number of consecutive polls. - If a matching event is generated. 9. At the outset, you can **Enable** or **Disable** the rule. 10. You can set the rule to be applicable to: - **All Monitors** - All the monitors. - **Specific Monitor Types** - For example, Windows XP, Windows 7, Windows 8, and so on. - **Selected Monitors** - You can select the monitors from a drop-down menu or search for the required monitor to which the new rule must be applicable. 11. Finally, click the **Create Rule** button. The new rule will be displayed in the LogFile Rule window. You can also enable, disable, and delete one or more rules by selecting the rule(s) and clicking the **Enable**, **Disable**, or **Delete** button. **Note:** The event logs added by default cannot be deleted.