Monitor Event Logs

Use the Events tab on the Roles page to start alarms when specified events are found in the Windows event log and establish the rules applied to events that are detected in the log.

Event logging in Microsoft Windows provides a standard, centralized way for applications to record important software and hardware events. When an error occurs, the system administrator or support technicians must determine what caused the error, attempt to recover any lost data, and prevent the error from recurring. It is helpful if applications, the operating system, and other system services record important events such as low-memory conditions or failed attempts to access a disk. The system administrator can use the event log to help determine what conditions caused the error and the context in which it occurred.

A problematic issue arises with the Windows Event log because it is used by nearly all applications and services; thus, it becomes difficult for the administrator to separate the relative importance of different events. The issue is further complicated because the event log is passive in nature. If the administrator, for example, does not regularly inspect the contents of the log, then it becomes unlikely that they will know when something of significance has occurred on a system if the problem does not crash an application or the system. These issues are solved with Event log monitoring.

The event log monitor periodically inspects all of the logs on a system, checking to see if anything new has happened since the last time the log was inspected. A newly discovered event is run through a set of filters to determine whether or not a notification is to be sent or what action should be taken. The applied filters can be the default settings, completely defined by the user, or a combination. Furthermore, event log alarms can be triggered by specific character strings found in any of the event properties.

Settings

From the drop down list, select Events.
Expand Settings and select Record Retainment items by placing a check in the Value column for each item.
(Optional) Change the Event Log Data Retention period from the default of 30 days by entering a new value.
(Optional) Change the upper limit of event log alarms to send by entering a new value in New events will be ignored if there are more pending alarms than the number specified here.
The Event Log Monitoring comes equipped with a default setting to monitor "All Other Logs" of events and to raise an alarm on errors. However, you can add new sources, select alarms for those sources, and select which information (Error, Warnings, Audit Success, etc.) you wish to retain in the logs for the selected Notification and Action. (Select the desired Notification and Action from the drop down list to the right of the check box items).

Event Sources

To add a new event source, expand Event Sources and click the plus icon. The Add New Setting dialog box opens.
Enter select sources from a model system.
Select display sources from the following category.
Select sources.
Click Create.

Text Rules

In the Text Rules pane, the following two options will perform two separate evaluations and apply the alarm appropriately:

Always Send: If the event log contains a text field and is found to match the string entered on one of the rows, then an alarm will be triggered. All notification settings will be used.
Never Send: If the event log contains a text field and is found to match the string entered on one of the rows, then an alarm will not be sent. This suppresses the alarm for the specific instance.

This method of controlling alarms and notifications can be as simple as cutting and pasting a text string from the actual event log fields to the desired grid row. This will ensure consistency of the text string in formulating a match between the SysTrack Agent and the event log. There is no defined limit to the number of rows that can be added to the Text Rules.

Add a New Text Rule

Click the plus + icon under Always Send or Never Send on the Text Rules pane.
Enter a name.
Click Create.