The Event Log Monitor can be used to locate information within Error, Warning, Information, Success Audit and Failure Audit events that are recorded in the Windows event logs.
For any Server or Workstation version of Windows:
- Application log
- Security log
- System log
Additional logs for computers running as a Domain Controller:
- Directory service log
- File Replication service log
Additional logs for computers running as a Domain Name System Server:
- DNS server log
The Event Log Monitor uses header information to locate specific events, however, the Description is often the most useful piece of information, as it indicates what occured or the significance of the event.
As the format and contents of the event description vary depending on the event type, the Event Log Monitor requires a Regular Expression to filter specific details from the description field. This can be a simple RegEx that captures the entire contents of the description field, or a more sophisticated RegEx to filter only specific parameters.
The Test Parameters dialog box is used to identify the location of the Event log, input Event parameters, and enter one or more Regular Expressions to filter specific details from the description field.
Use the Windows Event Viewer application to locate Event parameters. Highlight an Event and select Properties to view Type, ID, Source, User, etc.
Server Name / Primary IP Address
To select a Server Name:
- Click the Browse... button to pop up the Server Listing dialog
- Select the computer you want to monitor and click the Continue... button to populate the Server Name field
Optionally, you may also directly type in the primary IP address or NetBIOS Name of the computer that hosts the Event Log you want to monitor.
If you enter an IP address, note that the Event Log Monitor requires it to be the Primary IP address (the IP address of the computer's primary internal network adapter).
Credential for Monitoring
Assigning a Credential for Monitoring is an optional setting. If you wish to take advantage of ipMonitor's security model, you may assign a Credential to have the Event Log Monitor impersonate an account with the administrative privileges required to access the Event Log on the remote Windows machine. When the Monitor connects to the Event Log, it will use the Credential's account and password information to authenticate to the target machine.
If a Credential is not assigned, ipMonitor will use the current account privileges of the ipMonitor Service on the local machine.
To select a Credential:
- Click the Select button to pop up the Credentials for Monitoring dialog
- Select an existing Credential from the Windows category
- To create a new Credential, click the New Credential button to start the Wizard
Note: The Credential you assign must have Administrator level permissions to access and read security logs.
Note: For detailed information regarding configuration options for a Credential to be used with the Event Log Monitor, refer to Credentials for Monitoring :: EVENT LOG.
Note: For more information about Credentials, refer to the section titled About Credentials.
Enable Windows NT 4 Compatibility Mode
Enable this option if the remote machine is running Microsoft Windows NT 4.0. This action will allow ipMonitor to emulate the specific operating environment necessary for communicating with the remote server.
Event Area
ipMonitor supports six separate Event Log types:
- System: contains events logged by Windows system components.
- Application: contains events logged by applications or programs.
- Security: records events such as valid and invalid logon attempts and resource usage events such as creating, opening or deleting files or other objects.
Additional logs for computers running as a Domain Controller:
- File Replication Service: contains events logged by the Windows File Replication service.
- Directory Service: contains events logged by the Windows directory service.
Additional logs for computers running as a Domain Name System Service:
- DNS Server: contains events logged by the Windows DNS service.
Event Type
The type of Event being monitored. This may be found by viewing the specific Event Properties. Available Event Types differ based on the Event Area selected above.
- Error: an error has occurred. For example, a Service has failed.
- Warning: may indicate a possible problem or future problem.
- Information: describes successful operation of an application, driver, or service.
- Security Audit Success: audited security access attempt that succeeded.
- Security Audit Failure: audited security access attempt that failed.
Event ID
The Event ID is a number that identifies the particular Event Type.
Event Source
The name of the application that logged the Event.
Logged by User
The username of the user account that generated the Event, if one exists.
Content Matching Event Text with Regular Expressions
A number of different filter Scenarios using Regular Expressions can be added to locate specific information within the Event Description. Regular Expressions can be simple or complex, depending on your needs.
For example, to send the entire content of an Event, simply enter: (.*) This could be ideal for an email Alert sent to your Blackberry or cell phone.
Note: Use the RegEx Wizard located in the Tools menu to help create simple Regular Expressions.
Content Generator
Once the Regular Expressions have successfully filtered Event description strings, a Content Generator is used to format the results for Alerts.
Returning to the example above, (.*), which captures the entire contents of an Event Description, a Content Generator with a value of %capture[1]% will pass the captured contents to any Alerts triggered by the Event Log Monitor.
Refer to Content Generator for more information.
Preview
The Preview button is used to test your configuration. When clicked, ipMonitor connects to the Event Log file specified and searches log file entries that already exist using the Test Parameters provided.
The Notification Control section determines how many test failures must occur before an Alert is sent, as well as the maximum number of Alerts that will be sent.
For the Event Log Monitor, the Accumulated Failures per Alert and Maximum Alerts to Send fields function identically to all other Monitor types. Refer to General Monitor Settings for more information.
Information Alerts to Send
Three different options are provided to help manage the Information Alerts that are generated by ipMonitor:
- Combine up to 15 Found Scenarios into one Alert: 15 individual Information Alerts will be folded or merged into a single Alert. This is ideal for Events such as Information types that are apt to generate many of the same Events.
- Disabled - Send up to 5 Information Alerts (Individually): Refers to the "fold" feature. This option will send up to a maximum of five Information Alerts, one for each matching entry that is located. This is ideal for Events such as Application Errors.
- Disabled - Send first Found Scenario: Sends a single Information Alert for each Monitor test, regardless of how many matching entries are located. Only the first matching entry will trigger an Information Alert. This is ideal for Events such as Security, when you want to be informed immediately or take immediate action.
In this example, an Event Log Monitor is configured to search for Security Events when a machine is added to the network domain.
Event Properties
In order for the Event Log Monitor to monitor the Security Event log, you will need to create a Credential that has Administrator level access required to read the Security Event log.
----8<--------------
| Event Type: | Success Audit |
| Event Source: | Security |
| Event Category: | Account Management |
| Event ID: | 645 |
| Date: | 2/9/2004 |
| Time: | 10:27:41 AM |
| User: | XYZCOMPANY\Administrator |
| Computer: | MISWKSTN |
| Description: | Computer Account Created: New Account Name: SALESWKSTN$ New Domain: XYZCOMPANY New Account ID: XYZCOMPANY\SALESWKSTN$ Caller User Name: Administrator Caller Domain: XYZCOMPANY Caller Logon ID: (0x0, 0x1068DC8) Privileges - |
----8<--------------
Test Parameters
The following settings are configured to identify this Security Event.
| Event Area: | Security |
| Event Type: | Security Audit Success: |
| Event ID: | 45 |
| Event Source: | Security |
Scenario #1 RegEx Pattern
This Regular Expression is for demonstration purposes and is not optimized for speed or efficiency:
Account\sName\:\s*(.*?)[\r\n\s\t]*New\sDomain\:\s(.*?)[\r\n\s\t]
*New.*User\sName\:\s*(.*?)[\r\n\s\t]*Caller\sDomain\:\s*(.*?)\r\n
Click the Preview button to locate any matches that are currently in the Event Log.
Create a Content Generator
Once the Test Parameters are proven correct, it is necessary to create a Content Generator that will insert these results into an email message body (or other Alert type) when an Alert is triggered.
Content Generators:
- Format output for ipMonitor's Information Alerts
- Are configured by selecting the Alerts menu option
- Are selected in the Notification Control section of a Monitor's settings
- Are enabled in the Alerts by selecting the Send Information Notifications checkbox
| Name: | Security Event Capture |
| Value: | Computer Account Created: New Account Name: %capture[1]% New Domain: %capture[2]% Caller User Name: %capture[3]% Caller Domain: %capture[4]% Event Timestamp: %capture[timewritten]% |
Information Alert Sent by Email
Shown here is a sample of the formatted result sent using the Email Alert when ipMonitor locates a match in the remote Security Event log.
When the Monitor is in an Up state, test results are reported as shown in the example below:
rtt - Round-Trip Time. This value indicates the time it took the test packet to reach the monitored resource and return a response to ipMonitor. Round-trip time is measured in milliseconds (ms).
When the Monitor is in a Warn, Down, or Lost state, the Last Result field indicates the problem encountered. Different Monitor types generate specific Error Codes in accordance with the technical capabilities of the Monitor. Refer to the Error Codes section of this document for details.
Note 1:
When creating a new Event Log Monitor, note that the Monitor starts searching forward from the time of creation; it does not search historical content already in the Event log file.
When configuring Monitors, suspending and then unsuspending a Monitor is often used to force an immediate test. This will not work with the Event Log Monitor as its pointer will be reset to its current time or, essentially, the end of the log file. A real Event will need to occur for the Monitor to send an Information Alert.
The Preview test, however, does search the Event Log's existing content, making it ideal for configuration and troubleshooting purposes.
Note 2:
We recommend using the default timing intervals of 300 seconds between scans. This is because the Event Log Monitor queries the Event Log via the WMI Service, and this Service may consume a considerable amount of resources on the target machine. 300 seconds between scans allows for a balance between the length of time it takes to query the Event Log and the load placed on the target machine's CPU.
IMPORTANT! Setting the timing intervals to a value lower than 180 seconds can cause problems related to security and authentication, particularly in scenarios where multiple Event Log Monitors target a single machine using a Credential impersonating a Domain Account.
Note 3:
For information on settings common to all Monitor types, such as Identification, Timing, Notification Control and Recovery Parameters, refer to General Monitor Settings.
The following error codes are generated by the Event Log Monitor. Error codes are displayed in Real-time and Historical Reports. They can also be added to Alerts using Tokens.
| Message | Details |
|---|---|
| Configuration information for this item is missing some required fields | A required element(s) for Monitor connectivity or testing was not supplied to ipMonitor. |
| The remote device timed out before sending a response | The resource being monitored did not respond within the maximum allowable time. |
| Could not obtain an IP address for the remote device | The supplied address was not a valid IP address OR the Server Domain Name could not be translated into an IP address. The Server Domain Name may refer to a local machine name, or a fully qualified domain name. |
| Access rights are insufficient | ipMonitor was unable to process the request because of insufficient permissions. |
| Unable to connect to the remote device | The specified address to the connection-based Service is unavailable. |
| The remote device rejected the request due to an internal error | Upon connecting to the server, an initial message indicating the server is unavailable was received. |
| The required state information is not available | Temporary information used to let the Monitor know where to resume cannot be read. |
For information on other features and concepts related to those discussed in this article, refer to the following ipMonitor resources:
< Back
Last Updated: March 30, 2007 | What did you think of this topic?