Good morning
I try to make a test with NT logs but seems difficult ( from myself) to do
I have to say :
If i recieve an entry in the application log 60 times in an hour :it is bad condition
If i recieve less ( 30 for instance ) it is ok
Is it possible to do that ?
Thank you for your feedback
Best regards
Philippe
NT log test : if 60 same entries in an hour : bad
Difficult question.
If "bad condition" == "lets start alerts", I think you may do the following
1) setup 2 schedules usign "Tune" button. 1st schedule should be used for "NT Event Log" test. E.g. it should allow test to be executed every day between 00:00 and 00:05, 01:00-01:05, ... 23:00-23:05
Use 2nd schedule to execute auxiliary test, e.g. ping localhost every day between 00:06 and 00:09, 01:06-01:09, ... 23:06-23:09 (right after 1st test)
2) Set both tests to be performed every 50 min, use "Report about all event" test property for NT Event Log test.
3) Setup action that you need to be started after 60 consecutive bad results, assign this alert profile to 1st NT Event Log test;
4) create another auxiliary action profile, use "Execute HM Script" action and script with single command "ResetRecurrencesTest nt_log_test_name"; assign this profile to 2nd test (ping localhost). So this action will be executed after NT Event Log test checked
http://www.ks-soft.net/hostmon.eng/mfra ... #actScript
Regards
Alex
If "bad condition" == "lets start alerts", I think you may do the following
1) setup 2 schedules usign "Tune" button. 1st schedule should be used for "NT Event Log" test. E.g. it should allow test to be executed every day between 00:00 and 00:05, 01:00-01:05, ... 23:00-23:05
Use 2nd schedule to execute auxiliary test, e.g. ping localhost every day between 00:06 and 00:09, 01:06-01:09, ... 23:06-23:09 (right after 1st test)
2) Set both tests to be performed every 50 min, use "Report about all event" test property for NT Event Log test.
3) Setup action that you need to be started after 60 consecutive bad results, assign this alert profile to 1st NT Event Log test;
4) create another auxiliary action profile, use "Execute HM Script" action and script with single command "ResetRecurrencesTest nt_log_test_name"; assign this profile to 2nd test (ping localhost). So this action will be executed after NT Event Log test checked
http://www.ks-soft.net/hostmon.eng/mfra ... #actScript
Regards
Alex
Has anyone thought about writing a shell script to extract this info? A sample query below:This would need to be modified to limit based on the 'TimeGenerated' or 'TimePosted' variable in order to limit it to the number of events in the last hour. It also needs to be modified to include AHM script conventions.
If you get it working, please post it in the Library.
Code: Select all
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile = 'System' and " _
& "EventCode = '9999'")
Wscript.Echo "Count for EventCode 9999: " & colLoggedEvents.Count
If you get it working, please post it in the Library.
The following script will select event records from last day and today (2 arguments: target host name and log name, e.g: localhost system)
Actually I was trying to create script that will select records added within last hour. Script like this
but somehow WMI provider does not accept condition like timewritten>20090914023000 while condition like timewritten>20090914 works just fine.
Not sure is there any workaroung
Regards
Alex
Code: Select all
Option Explicit
const statusAlive = "scriptRes:Host is alive:"
const statusDead = "scriptRes:No answer:"
const statusUnknown = "scriptRes:Unknown:"
const statusNotResolved = "scriptRes:Unknown host:"
const statusOk = "scriptRes:Ok:"
const statusBad = "scriptRes:Bad:"
const statusBadContents = "scriptRes:Bad contents:"
'---- entry point ----
dim objArgs, strComputer, strLogfile, Date1, strDate
dim objWMIService, colLoggedEvents, strWMIQuery
Set objArgs = WScript.Arguments
if objArgs.Count>1 then
strComputer = objArgs(0)
strLogfile = objArgs(1)
Date1 = DateAdd("d",-1,Now)
strDate = CStr(Year(Date1))
if Month(Date1)<10 then strDate = strDate & "0" & CStr(Month(Date1)) else strDate = strDate & CStr(Month(Date1)) end if
if Day(Date1)<10 then strDate = strDate & "0" & CStr(Day(Date1)) else strDate = strDate & CStr(Day(Date1)) end if
strWMIQuery = "Select * from Win32_NTLogEvent Where (Logfile='" & strLogfile & "') and (timewritten>" & strDate & ")"
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery(strWMIQuery)
WScript.StdOut.WriteLine statusOk & colLoggedEvents.Count
else
WScript.StdOut.WriteLine statusUnknown & "Not enough parameters specified"
end if
Code: Select all
Option Explicit
const statusAlive = "scriptRes:Host is alive:"
const statusDead = "scriptRes:No answer:"
const statusUnknown = "scriptRes:Unknown:"
const statusNotResolved = "scriptRes:Unknown host:"
const statusOk = "scriptRes:Ok:"
const statusBad = "scriptRes:Bad:"
const statusBadContents = "scriptRes:Bad contents:"
'---- entry point ----
dim objArgs, strComputer, strLogfile, Date1, strDate
dim objWMIService, colLoggedEvents, strWMIQuery
Set objArgs = WScript.Arguments
if objArgs.Count>1 then
strComputer = objArgs(0)
strLogfile = objArgs(1)
Date1 = DateAdd("h",-1,Now)
strDate = CStr(Year(Date1))
if Month(Date1)<10 then strDate = strDate & "0" & CStr(Month(Date1)) else strDate = strDate & CStr(Month(Date1)) end if
if Day(Date1)<10 then strDate = strDate & "0" & CStr(Day(Date1)) else strDate = strDate & CStr(Day(Date1)) end if
if Hour(Date1)<10 then strDate = strDate & "0" & CStr(Hour(Date1)) else strDate = strDate & CStr(Hour(Date1)) end if
if Minute(Date1)<10 then strDate = strDate & "0" & CStr(Minute(Date1)) else strDate = strDate & CStr(Minute(Date1)) end if
if Second(Date1)<10 then strDate = strDate & "0" & CStr(Second(Date1)) else strDate = strDate & CStr(Second(Date1)) end if
strWMIQuery = "Select * from Win32_NTLogEvent Where (Logfile='" & strLogfile & "') and (timewritten>" & strDate & ")"
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery(strWMIQuery)
WScript.StdOut.WriteLine statusOk & colLoggedEvents.Count
else
WScript.StdOut.WriteLine statusUnknown & "Not enough parameters specified"
end if
Not sure is there any workaroung
Regards
Alex
There is new script that can check number of records within last hour
Regards
Alex
Code: Select all
Option Explicit
const statusAlive = "scriptRes:Host is alive:"
const statusDead = "scriptRes:No answer:"
const statusUnknown = "scriptRes:Unknown:"
const statusNotResolved = "scriptRes:Unknown host:"
const statusOk = "scriptRes:Ok:"
const statusBad = "scriptRes:Bad:"
const statusBadContents = "scriptRes:Bad contents:"
'---- entry point ----
dim objArgs, strComputer, strLogfile
dim objWMIService, colLoggedEvents, strWMIQuery, wbemDate
Set objArgs = WScript.Arguments
if objArgs.Count>1 then
strComputer = objArgs(0)
strLogfile = objArgs(1)
Set wbemDate = CreateObject("WbemScripting.SWbemDateTime")
wbemDate.SetVarDate(DateAdd("h",-1,Now))
strWMIQuery = "Select * from Win32_NTLogEvent Where (Logfile='" & strLogfile & "') and (timewritten>'" & wbemDate & "')"
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery(strWMIQuery)
WScript.StdOut.WriteLine statusOk & colLoggedEvents.Count
else
WScript.StdOut.WriteLine statusUnknown & "Not enough parameters specified"
end ifAlex