I want to monitor, within an Event Log Test, the System log and want to filter a bad reply (so no trigger is generated) only whenever a specific Event ID number is generated in the eventlog in combination with a specific description.
So if this Event ID number is generated with a totally different description, the result must be bad and therefore a trigger must be generated (email).
If I enter this EventID (any except the following) in the alert conditions with the description contains (nothing from the list), all EventID's with this number will be filtered out. That's not what I want.
Anyone knows how to do this?
Filtering on Event ID in combination with Description
-
KS-Soft Europe
- Posts: 2832
- Joined: Tue May 16, 2006 4:41 am
- Contact:
Re: Filtering on Event ID in combination with Description
Probably, you should use "Any from the following" option for the EventId?robspee wrote:If I enter this EventID (any except the following) in the alert conditions with the description contains (nothing from the list), all EventID's with this number will be filtered out.
Quote from the manual:
===
Any from the following - event can be considered as "Bad" when ID is specified in the list
===
http://www.ks-soft.net/hostmon.eng/mfra ... m#chkNTLog
Regards,
Max
-
KS-Soft Europe
- Posts: 2832
- Joined: Tue May 16, 2006 4:41 am
- Contact:
So, if EventId is NOT listed in "Alert condition", it means such Event Id does not match the filter and HostMonitor ignore it. Everything Ok, I think. The status comes to "bad" only if new event match the filter you have specified in "Alert Condition" area.robspee wrote:When I simulate an EventID Number (with LogEvent.exe) in the Application Log that is NOT listed in "Alert Condition", the "bad"-status did not occur.
Could you provide more information regarding events you want to monitor? Maybe, I do not understand something?
Not sure I understand your point. Do you mean there are several events in event log, and HostMonitor recognize only last one? In such case you should use "Report about all "Bad" events" option.robspee wrote:Maybe you must add another "check NT Event Log"-test to overcome this situation?
Quote from the manual:
==================
Report about last "Bad" event
With this option enabled HostMonitor will scan (starting from the end of the log) all new events (events those appeared after previous probe) till first (ok, 'last' because it scans from the end) "Bad" event. If new "Bad" event is detected, HostMonitor marks test as "Bad" and performs specified alert actions if necessary.
For example: if HostMonitor performs test every 10 minutes and 3 "Bad" events occurred within this time interval, HostMonitor will report only about last one. This option is useful when you check for some specific event and don't need many messages about the same recurring error.
Report about all "Bad" eventsIn opposite to previous mode, with this option enabled HostMonitor will inform you about each event that satisfies specified requirements. This option is useful when you use one test item to check for different error events (e.g. you are checking for any event with "Failure Audit" type). BTW do not forget to use "Repeat: until status changes" option for appropriate alert actions.
Please note: HostMonitor changes test status to "Bad" only when it has found NEW event(s) that satisfies all specified requirements. If, after the next probe, the monitor does not find a new "Bad" event, it changes the test status to "Ok".
==================
http://www.ks-soft.net/hostmon.eng/mfra ... m#chkNTLog
Regards,
Max
You Quote:
So, if EventId is NOT listed in "Alert condition", it means such Event Id does not match the filter and HostMonitor ignore it. Everything Ok, I think.
No, I think it's not OK.
For example: EventID 1015, source perflib occured. Not so important for us, so you specify a filter that says: EventID Any from the following (1015), Description contains Nothing from the list (perflib). So next time hostmonitor treat this event as not bad. If the same EventID 1015 occured with another description (that is not listed), hostmonitor treat this as bad. So far, so good.
But what will happen if the next EventID is new with, for example, number 1030 is a serious error and it is not specified in the "Any from the following"-list. It will not be treatened as bad, so no email is sended. Not good I think. What is therefore the solution then?
So, if EventId is NOT listed in "Alert condition", it means such Event Id does not match the filter and HostMonitor ignore it. Everything Ok, I think.
No, I think it's not OK.
For example: EventID 1015, source perflib occured. Not so important for us, so you specify a filter that says: EventID Any from the following (1015), Description contains Nothing from the list (perflib). So next time hostmonitor treat this event as not bad. If the same EventID 1015 occured with another description (that is not listed), hostmonitor treat this as bad. So far, so good.
But what will happen if the next EventID is new with, for example, number 1030 is a serious error and it is not specified in the "Any from the following"-list. It will not be treatened as bad, so no email is sended. Not good I think. What is therefore the solution then?
-
KS-Soft Europe
- Posts: 2832
- Joined: Tue May 16, 2006 4:41 am
- Contact:
NT Event log offers quite flexible filter options and every options described in documentation as well (please use link below):
http://www.ks-soft.net/hostmon.eng/mfra ... m#chkNTLog
You just should read manual carefully and specify filter options that suit your needs.
If you have specified particular EventId(e.g 1015) and selected "Any from the following" option, it means that HostMonitor will trigger alert ONLY when EventId 1015 occurs in the log and ignore any other ID's. In case you have specified "Any except the following" option, HostMonitor will ignore EventId 1015 and trigger alert when any other Event Id occurs.
If you want to monitor all critical errors, I would suggest you specify Event Type as Error, mark "Any from the following" for Event Type area
and leave Event ID and Description Contains as "Any". You may setup several NT Event Log tests to check different Logs(System, Application, Security,etc.), different Event Sources, particular Event Id's - everything is up to you.
Regards,
Max
http://www.ks-soft.net/hostmon.eng/mfra ... m#chkNTLog
You just should read manual carefully and specify filter options that suit your needs.
If you have specified particular EventId(e.g 1015) and selected "Any from the following" option, it means that HostMonitor will trigger alert ONLY when EventId 1015 occurs in the log and ignore any other ID's. In case you have specified "Any except the following" option, HostMonitor will ignore EventId 1015 and trigger alert when any other Event Id occurs.
If you want to monitor all critical errors, I would suggest you specify Event Type as Error, mark "Any from the following" for Event Type area
and leave Event ID and Description Contains as "Any". You may setup several NT Event Log tests to check different Logs(System, Application, Security,etc.), different Event Sources, particular Event Id's - everything is up to you.
Regards,
Max
So if I understand (the manual), to accomplish my goal i must specify two Event Log Tests per type Log (application, system). One which will filtered out EventID with Description and one with "Any except the following" that listed the same EventID's from first test.
This combination will do the trick I think. Quote me if i'm wrong.
This combination will do the trick I think. Quote me if i'm wrong.