Windows event log monitoring monitors event logs generated in the system viewer of all Windows devices in your network. Alerts are generated depending on the conditions specified in the monitor.
The Windows event log monitoring involves the following functions:
- Defining the preprocessing policy in the cloud.
- Receiving, preprocessing, and normalizing the logs in the agent.
Configure Windows event log monitoring using one of the following methods.
- Creating a template
- Assigning the template from devices
Configure an event log monitor when creating a template
Select a client from the All Clients list.
Go to Setup > Monitoring > Templates.
Click + Add.
Enter the following information:
Property Description Select Template Scope (required) Template scope: - Partner Template
- Client-specific Template
Client (required) If Client-specific Template is selected, drop-down client list. Collector Type (required) For Windows event logs, select Agent. Applicable For (required) Select G1 Monitors or G2 Monitors. Template Name (required) Template name. Description (required) Template description. Generation Generation template belongs to. Prepopulated depending on the Applicable For selection. Version Template version. Fixed value = 1
.Tags User-defined tags for easy reference. Prerequisites User-defined prerequisites of what to consider when using this template. Status Template status: - (default) Active
- EOL: end-of-life
- Inactive
Notes Template notes. Template Family Name User-defined template family name. Deployment Type Deployment type: - Custom
- Optional
- (default) Standard
Expand the Event Log Monitor section by clicking + Add.
Enter the following properties:
Property Description Frequency Log monitoring frequency. Recommended: 15 minutes. Alert Select to initiate monitoring. Priority Priority level: - P0
- P1
- P2
- P3
Log Type For each category you want to associate with the event logs, select the severity level(s): - All: Select all severity levels.
- Error
- Critical
- Information
- Success
- Warning
Articles Knowledge base articles to attach to the template. Choose Select or Modify and select from the list of articles. Source Source names to monitor the events. You can enter multiple comma-separated sources. Event Ids Required event IDs. You can enter multiple comma-separated event IDs. Message String Event description or regex to to match against monitored events. You can enter multiple message strings separated by $$
. The message string field supports both normal and regex strings. the following characters must be preceded by the\
escape character:[
,]
,{
,}
,(
,)
,$
,+
,*
,/
,\
Alert Component The Alerts Component field requires users to enter the component name. The purpose of adding the Alert Component is that if the eventlog source names and eventid are the same but the message search string is different, the agent will create a separate eventlog alert based on the given component name.
The Alerts Component field is optional, and the alert component support is only available for the included drop-down filter.Included/Excluded From the drop-down, select: - Included: Monitor only the specified source name and event IDs or both from the specified input selected categories.
- Excluded: Skip specified source name and event IDs, or both, monitoring from the input selected categories.
Click Save to apply the configuration parameters.
After configuring an event log monitor, the agent begins collecting data according to the specified event log parameters and sends them to the cloud.
Configure an event log monitor when assigning a resource template
When event fields match the configured selection criteria those events sent as a critical alert.
Select a client from the All Clients list.
Go to Infrastructure > Resources and select the resource you want from the list of resources. You can use the search option to find a resource.
Click the resource name to view resource details.
Now, go to Monitors > Monitors > +AssignMonitors.
In Add Monitor page, select Agent from Collector Type and Category as Event Log Monitor and then enter the following details:
Property Description Frequency Log monitoring frequency. Recommended: 15 minutes. Alert Select to initiate monitoring. Priority Priority level: - P0
- P1
- P2
- P3
Log Type For each category you want to associate with the event logs, select the severity level(s): - All: Select all severity levels.
- Error
- Critical
- Information
- Success
- Warning
Articles Knowledge base articles to attach to the template. Choose Select or Modify and select from the list of articles. Source Source names to monitor the events. You can enter multiple comma-separated sources. Event Ids Required event IDs. You can enter multiple comma-separated event IDs. Message String Event description or regex to to match against monitored events. You can enter multiple message strings separated by $$
. The message string field supports both normal and regex strings. the following characters must be preceded by the\
escape character:[
,]
,{
,}
,(
,)
,$
,+
,*
,/
,\
Alert Component The Alerts Component field requires users to enter the component name. The purpose of adding the Alert Component is that if the eventlog source names and eventid are the same but the message search string is different, the agent will create a separate eventlog alert based on the given component name.
The Alerts Component field is optional, and the alert component support is only available for the included drop-down filter.Included/Excluded From the drop-down, select: - Included: Monitor only the specified source name and event IDs or both from the specified input selected categories.
- Excluded: Skip specified source name and event IDs, or both, monitoring from the input selected categories.
Click Save to apply the configuration parameters.