Send Event details to external parsing script

[terje]

We make quite heavy use of the "NT Event Log" test to check up on all our customers networks. For example we like to watch for "unexpected reboot" or "UPS battery needs replacing" type of events. The current test logic allows quite a bit of flexibility in narrowing down the criteria that will be flagged as bad.

However one thing I would really like as an enhancement is to be able to send the text associated with an event to an external script for parsing and determining the status of the test. Either that or some more powerful inbuild logic tests.

For example I do a test on some sites on the Security log looking for events 528 with "Logon Type: 10" in the description (with text modified to include TAB character). Such events tell me that somebody has done a remote logon to the server (RPD) which lets me keep tabs on who is doing various things. However I'm only really interested in being alerted if the login is from external to the customers LAN so I would like to ignore such events if they also include the following text:-

"Source Network Address: 192.168.1."

Obviously I'm wishing for some more powerful parsing capabilities either in-build or via a mechanism that can pass the job to a script.

[KS-Soft Europe]

[terje]

Thanks.

That gives me the necessary incentive to upgrade.

[terje]

Okay I've upgraded and I think I have my head around the suggestion. As I understand it this approach won't change the fact that the test is changed to a BAD status it will merely allow me to do some advanced filtering before sending an email in response to that BAD status. However what I would really prefer to be able to do is to not have the test status change at all. As such I would really like to be able to do something like this:-

Test for an event log entry of type xyz. Take the description text from the event and either parse it using string operators within hostmonitor or pass it to an external script (with macro parameters) and based on that result decide if the test is GOOD or BAD.

A seemingly easy approach would be if in the EVENT LOG TEST PROPERTIES page, under the section called DESCRIPTION CONTAIN it was possible to prefix a string with some sort of NOT operator. So in my case you would have the following settings:-

COMPUTER = ANY
COMPUTER TYPE = ANY FROM THE FOLLOWING { Success Audit }
EVENT ID = ANY FROM THE FOLLOWING { 528 }
DESCRIPTION CONTAINS = ANY STRING FROM LIST { "Logon Type: 10", ~"192.168.1" }

Where ~ is the logical operator NOT.

Filtering at the alert level is helpful but it does not change the fact that a test is showing as BAD in the console.

[KS-Soft]

[terje]

I had to use SimpleStatus as in:-

[KS-Soft]

Yes, should be '%SuggestedSimpleStatus%'=='DOWN'. My mistake

Regards
Alex

[terje]

Actually just for others that might want to use this it is worth mentioning that you may need to include a TAB character between "Source Network Address:" and the "10.2.1."