Xymon Mailing List Archive search

Windows XymonPSClient v2.41

list Timothy Williams
Tue, 19 Mar 2019 09:33:02 -0400
Message-Id: <user-50beb0fe8aa7@xymon.invalid>

OK, figured it out. Needed to enclose whole log name in quotes. I guess
Xymon saw the space as end of log name and the Defender/Operational as a
pattern match within the (truncated) logname. Logical once I slept on it
and looked at it. We can now alert on the crucial Informational alerts such
as Engine Update failed, etc.

Tim Williams


On Mon, Mar 18, 2019 at 3:50 PM Timothy Williams <user-1a5482fb085e@xymon.invalid>
wrote:

Zak and all, I've been testing the events in the Windows Defender log
using the new version 2.41. I can pick up the logs and see events on Xymon
server MSGS , but can't get analysis to send any alerts. Luckily I don't
have any true red or yellow events, but we do want some information events
reported on.  We have tried these in the Analysis file, also with/without
the brackets and with %^[2000] and %^2000 and %2000 and %[2000]. Can you
see what is wrong? Is it the space in log name, or the slash? The order of
HOST before CLASS? Some other syntax error? The log name as shown is
clickable on Msgs page, so Xymon is handling it.

HOST=WINDOWS2016
        LOG     eventlog_Microsoft-Windows-Windows Defender/Operational
Error|Warning
        LOG     eventlog_Microsoft-Windows-Windows Defender/Operational
[2000] COLOR=yellow

CLASS=powershell
        UP      30m
        LOAD    90 95
        DISK    * 85 95
        MEMACT  98 101
        MEMPHYS 90 95
        MEMSWAP 85 95
        FILE    C:\Utils\XymonClient_Config.xml
        LOG     eventlog_application Error|Warning
IGNORE=[1008],[2004],[1018],[1022],[11],[1524],[1030],[2003],[4099],[8005],[12289],SAVOnAccessFilter
        LOG     eventlog_system Error
IGNORE=[36871],[36874],[1002],[513],[4879],[36887],[1030],[36888],[6037],[1],DCOM,Print,TermServDevices,SAVOnAccessFilter
        LOG     eventlog_system Warning COLOR=yellow

Here are some examples from MSGS page:

green No notable entries in* eventlog_Microsoft-Windows-Windows
Defender/Operational*
green No notable entries in *EventlogSummary*


Full log: *eventlog_Microsoft-Windows-Windows Defender/Operational*
Information - 03/18/2019 15:31:19 - [1150] - Microsoft-Windows-Windows
Defender - Endpoint Protection client is up and running in a healthy state.
  Platform version: 4.18.1902.2
  Engine version: 1.1.15700.9
  Signature version: 1.289.1473.0

Information - 03/18/2019 10:41:31 - [2000] - Microsoft-Windows-Windows
Defender - Windows Defender signature version has been updated.
  Current Signature Version: 1.289.1473.0
  Previous Signature Version: 1.289.1448.0

Thanks, Tim Williams


On Thu, Mar 7, 2019 at 6:37 AM Beck, Zak <user-aada0fa38bf8@xymon.invalid> wrote:

Hi


I have committed v2.41 today – bit of a version number jump because we’ve
been testing a number of small fixes internally before releasing.

Download from SVN
<https://sourceforge.net/p/xymon/code/HEAD/tree/sandbox/WinPSClient/>;
(the documentation has been updated also, including uninstall instructions).


Key changes:


   - replaced classic event log discovery (Get-EventLog) with
   Get-WinEvent - this opens up new event logs like Windows Defender etc
   - removed [EventLogSummary] section - [msgs:EventLogSummary] works
   - incorporated function XymonEventLogs into core event log processing
   (function XymonMsgs) - this allows the summary to only contain the logs in
   eventlogswanted


This is the main change, which should not impact but does open up new
options. Newer versions of Windows have a new event log format only
accessible via Get-WinEvent and there was one place in the code still using
the classic commands. This change means you can now specify these new event
logs in eventlogswanted, like this:


eventlogswanted:application,system,Microsoft-Windows-Windows
Defender/Operational:2500000:information,critical,error


One side effect of this is that the event log summary now only contains
the logs specified in eventlogswanted because there are hundreds of
non-classic event logs available on typical installations.


   - add different status colour options for XymonSendLog (contributed
   by Andy Smith <user-982f5f6d4d28@xymon.invalid>)


This is the second key change – the idea is to capture the logs when the
client is updated (which occurs on a slowscan). The additions to the
xymonlogsend directive allow you to change colour on a slow scan and a
client restart, which causes a history change in Xymon – this means you can
then view the logs from those changes in the Xymon front end using the
history options.


Example: xymonlogsend:clear:yellow – send a clear status on a slow scan
and a yellow status on a restart – all other logs will be sent with green
status.


   - XymonLog - fix exception when no files match the given filespec
   - add enablediskpart client-local directive so diskpart can be
   controlled from server


Cheers


Zak


This message is for the designated recipient only and may contain
privileged, proprietary, or otherwise confidential information. If you have
received it in error, please notify the sender immediately and delete the
original. Any other use of the e-mail by you is prohibited. Where allowed
by local law, electronic communications with Accenture and its affiliates,
including e-mail and instant messaging (including content), may be scanned
by our systems for the purposes of information security and assessment of
internal compliance with Accenture policy. Your privacy is important to us.
Accenture uses your personal data only in compliance with data protection
laws. For further information on how Accenture processes your personal
data, please see our privacy statement at
https://www.accenture.com/us-en/privacy-policy.


www.accenture.com