|
Objective
The aim of the Windows Events tool is to monitor events posted by your application with a view to consolidating the application monitoring under just one icon (and not have to additionally look up Windows EventLog).
It also enables you to define automatic acknowledgment of previously triggered alerts by specifying the Windows event that will acknowledge the alert.
Method (summary)
| • | Select the category of events you wish to monitor (ACEEventLog/application/internet explorer/security/system) |
| • | Configure automatic acknowledgement and then set alert thresholds |
Result
An icon representing the Windows event appears in the console under which are displayed the parameters MatchingEventRate and MatchingEventCount. You can set alert thresholds and automatic acknowledgements for the events found.
Create or edit a Windows Create or edit a Windows event monitoring
To create a new NT event, right-click the Application/Container icon in the PATROL Console and select KM Commands > New > NT event monitoring...
To edit an existing NT Event monitoring, right-click the Windows Event icon in the PATROL Console and select KM Commands > Edit.
Step 1: Selecting the Windows Event log to monitor
Windows Event Monitoring Wizard — Welcome Page
Select the Windows Event log to monitor:
| • | Application: Any event related to an application |
| • | Security: Security events that are specified in the audit policy |
| • | System: Any event related to the operating system |
| • | Apart from the above three categories, the events shown in the dropdown list will depend on each system. |
Step 2: Identifying the Windows Event to monitor
This panel is used to identify the Windows Event to monitor.
Windows Event Monitoring Wizard — Event Identification Page
Source: The software that logged the event, which can be either a program name such as "SQL Server," or a component of the system or of a large program such as a driver name. For example, "Elnkii" indicates an EtherLink II driver.
Windows Event Types to monitor: A classification of the event severity: Error, Information, or Warning in the system and application logs; Success Audit or Failure Audit in the security log. In the Event Viewer normal list view, these are represented by a symbol.
Enter the searched Windows Event ID: A number identifying the particular event type. The first line of the description usually contains the name of the event type.
Example
6005 is the ID of the event that occurs when the Event log service is started. The first line of the description of such an event is "The Event log service was started." The Event ID and the Source can be used by product support representatives to troubleshoot system problems.
Optional information: Arguments (insertion strings) that create a description of the NT Event. See the documentation of the NT Event you are monitoring for more information about these arguments. The argument number specifies where in the description the information should be found. Up to two arguments can be chosen and it is possible to indicate whether the information entered in the text bound is to be found within the argument ("must contain") or actually indicates the entire argument ("must exactly be").
Case sensitive: Indicates whether or not the search for the Argument that is to be found within the Windows Event description will be case sensitive.
|
 | If you are unsure about the characteristics of the Windows event you want to detect, you will need to use the Monitoring Studio built-in Windows EventLog Reader tool to view content of the EventLogs and the characteristics of the events, including their arguments (insertion strings). right-click on the main Monitoring Studio icon > KM commands > Tools > Windows EventLog Reader. |
Step 3: Automatic acknowledgement configuration
The automatic acknowledging feature allows you to reset the MatchingEventCount parameter to zero and its status to 'normal' – thereby, acknowledging the alert.. This can be done in the following two cases:
| • | Acknowledge alert(s)if the following timeout is reached: A timeout since the last found matching Event |
| • | Acknowledge alert(s)if the following NT Event is found: Specify the Windows Event |
Windows Event Monitoring Wizard — Alert Acknowledgement Definition Page
When this occurs, you can specify whether to:
| • | Acknowledge all alerts, previously triggered by this Windows Event monitoring: All the previous alerts are acknowledged in one action and the MatchingEventCount parameter is reset. |
| • | Acknowledge only one alert triggered by this NT Event search: Just one alert should be acknowledged (the MatchingEventCount parameter is thus decreased by one). |
Click Next and you arrive at the last panel with the Monitoring Studio settings.
Step 4: Monitoring Studio settings
Windows Event Monitoring Wizard — Settings Page
Object display name: Label displayed in the PATROL Console for this Windows Event monitoring.
Object internal identifier (ID): PATROL internal identifier.
What thresholds do you want to set for the newly created instance? A drop-down list allows you to select the mode of setting alert thresholds:
| • | Use default thresholds: Uses the default thresholds set by Monitoring Studio |
| • | Set custom thresholds: Allows you to customize the thresholds for all parameters of the instance |
| • | Use default thresholds and customize them: Sets the default Monitoring Studio thresholds on certain parameters (see list of parameters with default thresholds) and then allows you to customize any/all of them. This is mainly intended to help save time if you wish to customize the thresholds of just one of many parameters for the instance, and leave the default settings for the others. |
| If you select Use default thresholds and customize them; on clicking Finish, the Set Thresholds panel will appear, and certain parameters for the instance may appear with an asterisk symbol - indicating that they already have thresholds. You can then customize (any/all) the thresholds of the parameters as per your specific needs. |
| • | Do not set any thresholds for now: No thresholds will be set on any parameter of the instance, and as a result no alerts will be triggered. Monitoring Studio will poll the object and return the output of the polling, but will not raise any alerts until you set thresholds. |
 Thresholds can be set or modified at anytime by right-clicking on the instance > KM commands > Set Thresholds.
Windows Event monitoring objects are instances of the SW_NTEVENTS class.
See Also
Can I search for Windows Events whose description match a regular expression?
What is the meaning of the "Argument1, 2..." fields in the Windows Event monitoring wizard?
Windows EventLog Reader tool
SW_NTEVENTS
| 
