Hi-
I'm using Host Monitor against the NT Event log to find and report certain events. If I understand the documentation correctly, Host Monitor will only examine NEW events. If that is the case, how do I test my tests?
For instance, let's say I am looking for a disk failure error. It happened at 2:15 yesterday afternoon, as recorded in the NT Event Log. This morning, I write a test that searches the NT Event Log for the disk error message. Let's say the test does not work as I had hoped. When I modify the test, Host Monitor will not find the disk error because it only looks at events that occurred after the last test, which I ran this morning- after the failure yesterday at 2:15. See the problem? I can't test my test (at least not without generating NEW disk error events).
Another way of putting this is: When I write a test in Host Monitor, I want to be able to tell it to examine the entire NT Event Log, not just the NEW events. Then, once I have confirmed my test (as written) works, I want to be able to tell Host Monitor just to examine the NEW events.
I probably misunderstand how Host Monitor works.
Thanks in advance for your response!
NT Event Log - Last "Bad" Event
-
KS-Soft Europe
- Posts: 2832
- Joined: Tue May 16, 2006 4:41 am
- Contact:
Re: NT Event Log - Last "Bad" Event
You are absolutely right. HostMonitor changes test status to "Bad" only when it has found NEW event(s) that satisfies all specified requirements. If, after the next probe, the monitor does not find a new "Bad" event, it changes the test status to "Ok".tmh wrote:I'm using Host Monitor against the NT Event log to find and report certain events. If I understand the documentation correctly, Host Monitor will only examine NEW events. If that is the case, how do I test my tests?
You can test the functionality of the "NT Event Log" test with the eventcreate.exe command-line utility that is included with Windows XP and Windows Server 2003 operating systems. Such utility enables an administrator to create a custom event in a specified event log: http://www.microsoft.com/resources/docu ... x?mfr=true On Windows 2000 you may use logevent.exe utility instead.tmh wrote:For instance, let's say I am looking for a disk failure error. It happened at 2:15 yesterday afternoon, as recorded in the NT Event Log. This morning, I write a test that searches the NT Event Log for the disk error message. Let's say the test does not work as I had hoped. When I modify the test, Host Monitor will not find the disk error because it only looks at events that occurred after the last test, which I ran this morning- after the failure yesterday at 2:15. See the problem? I can't test my test (at least not without generating NEW disk error events).
It is supposed to be that HostMonitor performs the certain test on regular basis, for instance, once a day. If Hostmonitor find some specific event during the test interval, it will alert you. Actually, I do not see any reason to examine entire log because you already know about these events.tmh wrote:Another way of putting this is: When I write a test in Host Monitor, I want to be able to tell it to examine the entire NT Event Log, not just the NEW events. Then, once I have confirmed my test (as written) works, I want to be able to tell Host Monitor just to examine the NEW events.
Regards,
Max
NT Event Log - Last "Bad" Event
Max-
1) Event ID can't be more than 1000
2) Event Source can't be same name as internal source (for instance, you can use "StorageAgent" but not "Storage Agent."
3) Descriptions with embedded quotes or multiple lines cannot be sent (because eventcreate.exe uses quotes as delimiters for the description string)
This means I can't exactly recreate certain events, such as ID 1216 from "Storage Agent" with a description that includes embedded quotes. Nonetheless, it's still a useful tool.
"For this test, read through the entire NT Event Log, disregarding previous probes"
Once I was convinced that I had the test syntax completely correct, I would uncheck the checkbox and let Host Monitor only examine new events.
Another way to think about it is that the NT Event Log contains a set of "typical events." When I write a new probe, I want it to run against that set until I get the probe to work exactly as I expect. The only alternative to a test set is to inject artificial events (for instance, using eventcreate.exe). It would seem simpler just to tell Host Monitor "Please ignore the results of any prior probes and examine the entire log again."
In any case, thanks for the quick response. This is my first time on the forum, and it's always nice to get a fast answer.
Thank you for the pointer to eventcreate.exe. I looked at it; it can create events in the NT Event Logs. But, the events have some limitations, such as:You can test the functionality of the "NT Event Log" test with the eventcreate.exe command-line utility
1) Event ID can't be more than 1000
2) Event Source can't be same name as internal source (for instance, you can use "StorageAgent" but not "Storage Agent."
3) Descriptions with embedded quotes or multiple lines cannot be sent (because eventcreate.exe uses quotes as delimiters for the description string)
This means I can't exactly recreate certain events, such as ID 1216 from "Storage Agent" with a description that includes embedded quotes. Nonetheless, it's still a useful tool.
Perhaps my comment should be posted under "Enhancements." What I meant is that I want to run a Host Monitor test over and over against the same NT Event Log, until I get the test result I expect. This could be accomplished by having a configuration checkbox that says:Actually, I do not see any reason to examine entire log because you already know about these events.
"For this test, read through the entire NT Event Log, disregarding previous probes"
Once I was convinced that I had the test syntax completely correct, I would uncheck the checkbox and let Host Monitor only examine new events.
Another way to think about it is that the NT Event Log contains a set of "typical events." When I write a new probe, I want it to run against that set until I get the probe to work exactly as I expect. The only alternative to a test set is to inject artificial events (for instance, using eventcreate.exe). It would seem simpler just to tell Host Monitor "Please ignore the results of any prior probes and examine the entire log again."
In any case, thanks for the quick response. This is my first time on the forum, and it's always nice to get a fast answer.