windows event log
list Russell Blumenthal
Hey folks, Having a major brain fart right now. How would I get Xymon to go red when a specific event ID on a Windows servers is detected in the event log? I am using the PowerShell client so the VM is in a central mode. I have played around in analysis.cfg and client-local.cfg but haven't been able to get it down to a specific ID. Thanks This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by e-mail and destroy all copies of the original.
list Brandon Dale
I haven't tested this but in your analysis.cfg it should be something like this: HOST=servername LOG %.* %\[1\]\s-\sTest\sEvent COLOR=red This should go red for anything that contains "[1] - Test Event" (where "[1]" is the eventid and "Test Event" is the source name) in any event log. In your client-local.cfg you need to make sure you are also collecting the eventlogs where you expect to see this event. Regards, Brandon
▸
From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Blumenthal, Russell
Sent: Friday, 5 June 2015 4:10 AM
To: xymon at xymon.com
Subject: [Xymon] windows event log
Hey folks,
Having a major brain fart right now. How would I get Xymon to go red when a specific event ID on a Windows servers is detected in the event log? I am using the PowerShell client so the VM is in a central mode. I have played around in analysis.cfg and client-local.cfg but haven't been able to get it down to a specific ID.
Thanks
This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by e-mail and destroy all copies of the original.
list Russell Blumenthal
Perfect, thank you! That worked. I've been testing with creating my own event log entries to trigger the msgs to go red. Offhand, do you know how long until it goes green again, is it an hour or so?
▸
From: Brandon Dale [mailto:user-bf8ff8e1cedb@xymon.invalid]
Sent: Thursday, June 04, 2015 7:42 PM
To: Blumenthal, Russell; xymon at xymon.com
Subject: RE: [Xymon] windows event log
I haven't tested this but in your analysis.cfg it should be something like this:
HOST=servername
LOG %.* %\[1\]\s-\sTest\sEvent COLOR=red
This should go red for anything that contains "[1] - Test Event" (where "[1]" is the eventid and "Test Event" is the source name) in any event log. In your client-local.cfg you need to make sure you are also collecting the eventlogs where you expect to see this event.
Regards,
Brandon
From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Blumenthal, Russell
Sent: Friday, 5 June 2015 4:10 AM
To: xymon at xymon.com<mailto:xymon at xymon.com>
Subject: [Xymon] windows event log
Hey folks,
Having a major brain fart right now. How would I get Xymon to go red when a specific event ID on a Windows servers is detected in the event log? I am using the PowerShell client so the VM is in a central mode. I have played around in analysis.cfg and client-local.cfg but haven't been able to get it down to a specific ID.
Thanks
This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by e-mail and destroy all copies of the original.
list Russell Blumenthal
I saw that it went green after an hour. I tried doing this on a domain controller with the PowerShell client, how do I see the directory service event logs, and those other ones? Thanks
▸
From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Blumenthal, Russell
Sent: Friday, June 05, 2015 9:36 AM
To: Brandon Dale; xymon at xymon.com
Subject: Re: [Xymon] windows event log
Perfect, thank you! That worked. I've been testing with creating my own event log entries to trigger the msgs to go red.
Offhand, do you know how long until it goes green again, is it an hour or so?
From: Brandon Dale [mailto:user-bf8ff8e1cedb@xymon.invalid]
Sent: Thursday, June 04, 2015 7:42 PM
To: Blumenthal, Russell; xymon at xymon.com<mailto:xymon at xymon.com>
Subject: RE: [Xymon] windows event log
I haven't tested this but in your analysis.cfg it should be something like this:
HOST=servername
LOG %.* %\[1\]\s-\sTest\sEvent COLOR=red
This should go red for anything that contains "[1] - Test Event" (where "[1]" is the eventid and "Test Event" is the source name) in any event log. In your client-local.cfg you need to make sure you are also collecting the eventlogs where you expect to see this event.
Regards,
Brandon
From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Blumenthal, Russell
Sent: Friday, 5 June 2015 4:10 AM
To: xymon at xymon.com<mailto:xymon at xymon.com>
Subject: [Xymon] windows event log
Hey folks,
Having a major brain fart right now. How would I get Xymon to go red when a specific event ID on a Windows servers is detected in the event log? I am using the PowerShell client so the VM is in a central mode. I have played around in analysis.cfg and client-local.cfg but haven't been able to get it down to a specific ID.
Thanks
This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by e-mail and destroy all copies of the original.
list Zak Beck
Hi You need to add the required logs to "eventlogswanted" in the client-local.cfg on the server (against the appropriate group or host). For example: eventlogswanted:application,system,Directory Services:102400:information,warning,error (I haven't tested the above). Alternatively, you can use * in place of the list of logs for all logs. Also, you may be interested in the adreplicationcheck directive. Zak From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Blumenthal, Russell Sent: 05 June 2015 15:38 To: xymon at xymon.com
▸
Subject: Re: [Xymon] windows event log
I saw that it went green after an hour.
I tried doing this on a domain controller with the PowerShell client, how do
I see the directory service event logs, and those other ones?
Thanks
From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Blumenthal,
Russell
Sent: Friday, June 05, 2015 9:36 AM
To: Brandon Dale; xymon at xymon.com <mailto:xymon at xymon.com>
▸
Subject: Re: [Xymon] windows event log
Perfect, thank you! That worked. I've been testing with creating my own
event log entries to trigger the msgs to go red.
Offhand, do you know how long until it goes green again, is it an hour or
so?
From: Brandon Dale [mailto:user-bf8ff8e1cedb@xymon.invalid]
Sent: Thursday, June 04, 2015 7:42 PM
To: Blumenthal, Russell; xymon at xymon.com <mailto:xymon at xymon.com>
Subject: RE: [Xymon] windows event log
I haven't tested this but in your analysis.cfg it should be something like
this:
HOST=servername
LOG %.* %\[1\]\s-\sTest\sEvent COLOR=red
This should go red for anything that contains "[1] - Test Event" (where
"[1]" is the eventid and "Test Event" is the source name) in any event log.
In your client-local.cfg you need to make sure you are also collecting the
eventlogs where you expect to see this event.
Regards,
Brandon
From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Blumenthal,
Russell
Sent: Friday, 5 June 2015 4:10 AM
To: xymon at xymon.com <mailto:xymon at xymon.com>
▸
Subject: [Xymon] windows event log
Hey folks,
Having a major brain fart right now. How would I get Xymon to go red when a
specific event ID on a Windows servers is detected in the event log? I am
using the PowerShell client so the VM is in a central mode. I have played
around in analysis.cfg and client-local.cfg but haven't been able to get it
down to a specific ID.
Thanks
This e-mail message, including any attachments, is for the sole use of the
intended recipient(s) and may contain confidential and privileged
information. Any unauthorized review, use, disclosure or distribution is
prohibited. If you are not the intended recipient, please contact the sender
by e-mail and destroy all copies of the original.