Hi,
I'm using HostMonitor v4.42 and have been experiencing odd problems trying to monitor the Windows Event log for the Windows Update service.
I am trying to monitor Warning and Error events for the WUSyncService, but HostMonitor is generating warnings for Information messages too.
All of my other event monitoring services work ok, it seems to be just this particular service.
This service does seem a little odd in the way it works with the event log. I cannot filter by this service, turning on filtering for this service actually does not display any events, and I don't know whether this would indicate a problem with the event log?
Ross
Incorrect status readings from Windows Update event log
Yes it does. I'm using similar criteria for other events and they are working fine. It's purely the SUS events that are behaving strangely.
I'm not entirely sure it's not the SUS service doing something wrong when it logs events. I don't know how the event log works internally so I don't know if this is possible, but there is definately something not quite right with them.
I'm trying to get in touch with MS support at the moment to find out if this is a known problem.
Ross
I'm not entirely sure it's not the SUS service doing something wrong when it logs events. I don't know how the event log works internally so I don't know if this is possible, but there is definately something not quite right with them.
I'm trying to get in touch with MS support at the moment to find out if this is a known problem.
Ross
;-----------------------------------------------------------------------------
;- HostMonitor`s export/import file -
;- Generated by HostMonitor at 15/04/2004 12:09:33 -
;- Source file: C:\Program Files\HostMonitor4\robinsons.hml -
;- Generation mode: Selected_Tests -
;-----------------------------------------------------------------------------
; ------- Test #01 -------
Method = NTLog
;--- Common properties ---
;DestFolder = Robinsons\Event Logs\
Title = SUS Server Update
Comment = SUS Server Update
RelatedURL =
ScheduleMode= Regular
Schedule =
Interval = 600
Alerts = Robinsons Event - Bad only
ReverseAlert= No
UnknownIsBad= No
UseCommonLog= Yes
PrivLogMode = Default
CommLogMode = Default
SyncCounters= Yes
SyncAlerts = No
DependsOn = list
MasterTest-Alive = rob-028
;--- Test specific properties ---
Computer = rob-028
Log = System
Source = WUSyncService
CheckComp = Any
CheckType = AnyFromList
CheckID = Any
CheckDescr = Any
CompList =
TypeList = Error
TypeList = Warning
IDList =
DescrList =
ReportMode = LastEvent
;-----------------------------------------------------------------------------
; Exported 1 tests
;- HostMonitor`s export/import file -
;- Generated by HostMonitor at 15/04/2004 12:09:33 -
;- Source file: C:\Program Files\HostMonitor4\robinsons.hml -
;- Generation mode: Selected_Tests -
;-----------------------------------------------------------------------------
; ------- Test #01 -------
Method = NTLog
;--- Common properties ---
;DestFolder = Robinsons\Event Logs\
Title = SUS Server Update
Comment = SUS Server Update
RelatedURL =
ScheduleMode= Regular
Schedule =
Interval = 600
Alerts = Robinsons Event - Bad only
ReverseAlert= No
UnknownIsBad= No
UseCommonLog= Yes
PrivLogMode = Default
CommLogMode = Default
SyncCounters= Yes
SyncAlerts = No
DependsOn = list
MasterTest-Alive = rob-028
;--- Test specific properties ---
Computer = rob-028
Log = System
Source = WUSyncService
CheckComp = Any
CheckType = AnyFromList
CheckID = Any
CheckDescr = Any
CompList =
TypeList = Error
TypeList = Warning
IDList =
DescrList =
ReportMode = LastEvent
;-----------------------------------------------------------------------------
; Exported 1 tests
Strange... all settings look correctly.
Could you setup action profile (assigned to the test) to send e-mail when event occurs? If you use event related macro variables in the mail body (such as %NTEventSource%, %NTEventComp%, %NTEventType%, %NTEventID%, etc), you will see what exactly event HostMonitor takes...
Regards
Alex
Could you setup action profile (assigned to the test) to send e-mail when event occurs? If you use event related macro variables in the mail body (such as %NTEventSource%, %NTEventComp%, %NTEventType%, %NTEventID%, etc), you will see what exactly event HostMonitor takes...
Regards
Alex
I already do, below is the e-mail I receive regarding this service. The event viewer shows this event as an information event, but hostmonitor reports it as bad anyway.
I'm currently speaking with Microsoft as I believe there may be problems with either SUS or the event log on this machine.
-------------------
Event log text:
Software Update Services successfully synchronized all content.
Your server is completely up-to-date.
User Action
To view the list of files that may have been added, removed, or updated during this synchronization, see the synchronization log.
To see the synchronization log, go to the Software Update Services Admin Web site (http://<YourServerName>/SUSAdmin), and then click the View synchronization log link.
For more information about administering a server running Software Update Services, see the Microsoft Software Update Services Deployment Guide (http://go.microsoft.com/fwlink/?LinkId=6928).
Message from HostMonitor (host changed status)
Test : SUS Server Update
Method: check NT Event Log
Status : Bad
Date : 16/04/2004 04:02:37
Reply : 0 ms
Recurrences : 1
Last status: Ok
Total tests: 722
Alive ratio : 98.75
Dead ratio: 1.25
Folder: Event Logs
I'm currently speaking with Microsoft as I believe there may be problems with either SUS or the event log on this machine.
-------------------
Event log text:
Software Update Services successfully synchronized all content.
Your server is completely up-to-date.
User Action
To view the list of files that may have been added, removed, or updated during this synchronization, see the synchronization log.
To see the synchronization log, go to the Software Update Services Admin Web site (http://<YourServerName>/SUSAdmin), and then click the View synchronization log link.
For more information about administering a server running Software Update Services, see the Microsoft Software Update Services Deployment Guide (http://go.microsoft.com/fwlink/?LinkId=6928).
Message from HostMonitor (host changed status)
Test : SUS Server Update
Method: check NT Event Log
Status : Bad
Date : 16/04/2004 04:02:37
Reply : 0 ms
Recurrences : 1
Last status: Ok
Total tests: 722
Alive ratio : 98.75
Dead ratio: 1.25
Folder: Event Logs
Yes, I understand. But you did not use EVENT SPECIFIC macro variables in the mail body.I already do, below is the e-mail I receive regarding this service. The event viewer shows this event as an information event, but hostmonitor reports it as bad anyway.
If you add these variables (%NTEventSource%, %NTEventComp%, %NTEventType%, %NTEventID%, etc), we will know what exactly HostMonitor sees in the log...
Regards
Alex
I also have the same problem with the Software Update info alert getting picked up as a warning/error.
Although not 100% sure i think this is a bug with SUS. Whenever I run a eventlog query using WMI or MS logparser some of the data for SUS (only) is missing. From memory the eventttype field is listed as an "Unknown event".
This is probably causing ahm to include it in the query specs.
We can either wait for the new version of SUS (shortly) or you may want to add an additional criteria for "unknown event" in the event type selection.
HTH, Nick
Although not 100% sure i think this is a bug with SUS. Whenever I run a eventlog query using WMI or MS logparser some of the data for SUS (only) is missing. From memory the eventttype field is listed as an "Unknown event".
This is probably causing ahm to include it in the query specs.
We can either wait for the new version of SUS (shortly) or you may want to add an additional criteria for "unknown event" in the event type selection.
HTH, Nick
I checked HostMonitor's code - if some application records event with invalid type (I don't know it that possible) HostMonitor should ignore this event. It should ignore any event with type different from specified (of course if you use appropriate filter).
Did you use macro variables (%NTEventSource%, %NTEventComp%, %NTEventType%, %NTEventID%, etc) to check what exactly HostMonitor sees in the log?
Regards
Alex
Did you use macro variables (%NTEventSource%, %NTEventComp%, %NTEventType%, %NTEventID%, etc) to check what exactly HostMonitor sees in the log?
Regards
Alex
Found it!
Hi,
I've just realised that the SUS server events have a type of 'none'. They are shown in event viewer as information events, but the event properties shows the problem.
Is there any way around this in HostMonitor? I only want to be alerted if the type is Error or Warning.
I'm contacting Microsoft now to inform them of the problem, but I suspect I will get a faster response here.
many thanks,
Ross
I've just realised that the SUS server events have a type of 'none'. They are shown in event viewer as information events, but the event properties shows the problem.
Is there any way around this in HostMonitor? I only want to be alerted if the type is Error or Warning.
I'm contacting Microsoft now to inform them of the problem, but I suspect I will get a faster response here.
many thanks,
Ross
Hi Alex,
It shows a type of 0:
Event ID: 104
Source: WUSyncService
Computer: ROB-028
Event Type: 0
Event Time: 04/02/2005 03:00:37
Event User -
Event log text:
---------------------------------------------------------------
Software Update Services successfully synchronized all content.
Your server is completely up-to-date.
It shows a type of 0:
Event ID: 104
Source: WUSyncService
Computer: ROB-028
Event Type: 0
Event Time: 04/02/2005 03:00:37
Event User -
Event log text:
---------------------------------------------------------------
Software Update Services successfully synchronized all content.
Your server is completely up-to-date.
H'm, originally..
Ok, I made some changes. Update available at http://www.ks-soft.net/download/hm501.zip
Please install version 5.00 before using this update (its not critical, this way you will have up to date manual and help file)
Regards
Alex
Ok, I made some changes. Update available at http://www.ks-soft.net/download/hm501.zip
Please install version 5.00 before using this update (its not critical, this way you will have up to date manual and help file)
Regards
Alex