Recording specific NTEventLog events

nate-boit · Post by **nate-boit** » Mon Oct 16, 2006 10:32 am

It seems as though HostMonitor is recording some events that i am not telling it to. Under the Alert Conditon tab for each test, i have:

Code: Select all

Computer      Event type       Event ID                Description Contains
  Any           Any           Any from following        Nothing from following
                                  517                      User Logoff
                                  529                      Successful Network Logon
                                  530                               
                                  etc....

I have put the '%NTEventID%' variable into my sql query when saving to a database, and the results from that show event ids that i have not listed. Is there something that i have checked wrong or any other settings i could change?

NOTE: I only put the "Nothing from following" for description after i kept getting those specific events that i have not checked. Even after i put the beginnings of those errrors that i didn't want, HostMonitor is still occasionally logging those wrong events to the database.

KS-Soft · Post by **KS-Soft** » Mon Oct 16, 2006 11:19 am

You have single NT Event Log test item? May be there is another test that records messages?
Or another instance of HostMonitor? Sometimes people start 2 instances (e.g. service and application), made changes using 1st instance and forgot about 2nd...

Regards
Alex

nate-boit · Post by **nate-boit** » Mon Oct 16, 2006 11:49 am

I have many NT Event Log test items. One test that monitors some events, and another that monitors other events. One being for a "technical" report, and one being for a "management" report (which i differentiate later by sql query on my end). I have some of the same events being logged for both tests on the same server i am montoring.

I have each test "template" applied to multiple servers that i am monitoring. I differentiate them by having %servername% - Tech, or %servername% - Mgmt.

To better clarify,

Server1 - tech (monitors events 517, 529, 530, 610, 611)
Server1 - mgmt (monitors events 517, 610, 611, 626)
Server2 - tech (monitors events 517, 529, 530, 610, 611)
Server2 - mgmt (monitors events 517, 610, 611, 626)

The "Tech" test is the same for every server. The "Mgmt" test is the same for every server and is also applied to every server that the "Tech" test is applied to.

Could that be a separate issue of why i am also not getting some events on my 'management' test that have already been retrieved on my 'technical' test? I believe it is possible to retrieve information about the same event on the same server from multiple tests, correct?

Hopefully this answers a few of your questions instead of just confusing you.

And no, i never start HostMonitor as an application.

KS-Soft · Post by **KS-Soft** » Mon Oct 16, 2006 3:39 pm

I believe it is possible to retrieve information about the same event on the same server from multiple tests, correct?

Correct, test items work independently.

I do not see any mistake in our code. Do you use RMA to perform the test? What exactly IDs do you see in the log (that should not be there)? Do you see these events (IDs) in NT Event Log? Or HostMonitor reports about non-existent events?

Regards
Alex

nate-boit · Post by **nate-boit** » Mon Oct 16, 2006 4:29 pm

No. On this particular machine we are still using a trial of 6.20 Beta on a LAN. No RMA.

Example of unwanted event IDs would be 538, 540, 576. None of those are in the list of Event IDs that i want, yet they are being found by the test and logged to the database.

Yes the events that should not be reported are actually in the Event Log on the servers. And when logged to the database, they contain valid, network specific information.

KS-Soft · Post by **KS-Soft** » Tue Oct 17, 2006 4:49 pm

We cannot find any mistake in our code and we cannot reproduce this problem on our systems.
Could you send HML file with tests to us (support@ks-soft.net)? Please click menu "File" -> "Save" to be sure file is up to date

Regards
Alex

nate-boit · Post by **nate-boit** » Wed Oct 18, 2006 11:02 am

I upgraded to 6.24. I am going to wait for some more logs to generate before i send the HML file, just to be sure the problem is still occuring. Not that an upgrade should fix that problem, but just humor me.

Another question is this: Is there a way to prevent duplicate entries with the same reply, even if the event actually occurs multiple times in a short period of time? I have an alert profile set to send "bad" status items to the common log. I have the common log set to "write a record when test status or reply value changes (Reply)." And i have each test set to "Report about all 'bad' events."

There is an event that is happening repeatedly (sometimes 2 or 3 times in the same second) and each time it is logging to the database. I have checked Event Log Manager to confirm all reported events are actually there. I thought having the default logging mode as "Reply" would prevent this.

KS-Soft · Post by **KS-Soft** » Wed Oct 18, 2006 1:50 pm

You are using common log AND "Record HM log" action assigned to the test? Then HostMonitor will record event twice.
You should remove action and change logging mode to Reply.
Or you should disable common logging for the test and use "advanced mode" action with expression like ('%SimpleStatus%'=='DOWN') and ('%Reply%'<>'%LastReply%')

Regards
Alex