What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

How can I check the Windows Event log using extended filter options?

Votes:

1

The functionality of PRTG's standard event log sensor is not sufficient for my needs. Is there a way to check a computer's Windows Event Log file using extended functionality, for example, other filters?

custom-script-exe custom-sensor event-log prtg sensor vb vbscript visual-basic windows

Created on Feb 11, 2011 10:37:11 AM by  Daniel Zobel [Product Manager]

Last change on Mar 19, 2015 3:45:45 PM by  Martina Wittmann [Paessler Support]



5 Replies

Accepted Answer

Votes:

1

Eventlog VBScript

Using a visual basic script, you can check the Windows Event Log in a similar way the PRTG Event Log Sensor does, plus you can add your own filter functionality. In PRTG, you can run the script as an EXE/Script Sensor.

Use at Your Own Risk

In the following, we provide a script, ready for your own adaptations. Please note: We provide this information to experienced users "as it is", without any warranty, and we also cannot support you with customizing your EXE/Script sensors. Please see further documentation within the script.

' ********************************************************************************
' PRTG Custom EXE Sensor, VB Demo Script for checking Eventlog entries via WMI
' ********************************************************************************
' created Feb 2011 for PRTG Network Monitor V8 by Paessler Support Team, www.paessler.com
' This script is Open Source and comes without support or warranty

'************ How it works ***************************************************
' This Script reads the number of new entries in the Windows Eventlog between intervals.
' In order to do so it stores the timestamp of the last reading in a registry key.
' This registry key (which is of type string) has to be created by the user before running the script the first time.
' Just leave the value empty.
' We recommend that you modify the script and check via VB if the registry key exists, then create it, if necessary.
' You will find examples of how to do this on the internet.
' The regsitry key has to be unique for each sensor of this type.
' You might consider storing the timestamp value in a file instead of the registry, because this is often easier
' to do.
' To further refine the filtering of the event log entries, please modify the section
' where the event log entries are retrieved via WQL. Check out http://msdn.microsoft.com/en-us/library/aa394226(v=vs.85).aspx
' for more information about possibilities of the WMI class.
' After opening the query you can read through the messages and further refine your result by means of VB script.


'********** VERY IMPORTANT *************************************************
' The registy key contained in strKeyPath and strValueName must be unique for each sensor of this type.
' You must create it in the registry BEFORE running the sensor!
' Alternatively you could create it dynamically modifying this script.

const HKEY_LOCAL_MACHINE = &H80000002
const strKeyPath = "SOFTWARE\Paessler\PRTG Network Monitor\Custom Sensors"
const strValueName = "UTCTime"

'************ Set Your WMI credentials here ****************
' Leave User and Password blank for local machine

strComputer = "."
strUser = ""
strPassword = ""


strNamespace = "root/cimv2"

Set objLocator = CreateObject("WbemScripting.SWbemLocator")
Set objWMIService = objLocator.ConnectServer(strComputer,strNamespace,strUser,strPassword)

strUTCTime = ""
ReadUTC

' *********************** WQL statement ********************************************
' Check out http://msdn.microsoft.com/en-us/library/aa394226(v=vs.85).aspx
' for more information about possibilities for refining the conditions in your WQL statement

strWQL = "SELECT TimeGenerated,RecordNumber,Message FROM Win32_NTLogEvent WHERE TimeGenerated > '" + strUTCTime + "'"
strWQL = strWQL + " AND Logfile ='Application'"

Set objEventLog = objWMIService.ExecQuery(strWQL)
iCount = 0

strMessage = "No new message"

iRecordNumber = 0

For Each obj in objEventLog
 iCount = iCount +1
 
 if iRecordNumber = 0 Then
  iRecordNumber = obj.RecordNumber
  strUTCTime = obj.TimeGenerated
  strMessage = obj.Message
 End If
 
 If iRecordNumber < obj.RecordNumber Then
  iRecordNumber = obj.RecordNumber
  strUTCTime = obj.TimeGenerated
  strMessage = obj.Message
 End IF
 
Next

WriteUTC

Set objEventLog = nothing
Set objLocator = nothing
Set objWMIService = nothing

strMessage = Replace(strMessage, vbCrLf, "")
wscript.echo iCount & ":" & strMessage

WScript.Sleep 1000

wscript.quit("0")


Sub ReadUTC
 
  Set objRegistry = GetObject("WinMgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
  objRegistry.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strUTCTime

  If IsNull(strUTCTime) or strUTCtime = "" then
    strUTCTime = GetUTC
  End If

End Sub

Sub WriteUTC

  Set objRegistry = GetObject("WinMgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
  objRegistry.SetStringValue HKEY_LOCAL_MACHINE,strKeypath,strvalueName,CSTR(strUTCTime)
 
 
End Sub

Function GetUTC()

  Set objTimeZone = objWMIService.ExecQuery ("SELECT Bias FROM Win32_TimeZone")

  For Each colTimeZone in objTimeZone
    intBias = colTimeZone.Bias
  Next

  Set objUTCTime = objWMIService.ExecQuery ("SELECT * FROM Win32_UTCTime")

  For Each colUTCTime in objUTCTime
    intYear = colUTCTime.Year
    intMonth = colUTCTime.Month
    intDay = colUTCTime.Day
    intHour = colUTCTime.Hour
    intMinute = colUTCTime.Minute
    intSecond = colUTCTime.Second
  Next

  strTargetDate = intYear

  strMonth = intMonth
  If Len(strMonth) = 1 Then
  strMonth = "0" & strMonth
  End If

  strTargetDate = strTargetDate & strMonth

  strDay = intDay
  If Len(strDay) = 1 Then
  strDay = "0" & strDay
  End If

  strTargetDate = strTargetDate & strDay

  strHour = intHour
  If Len(strHour ) = 1 Then
    strHour  = "0" & strHour
  End If

  strTargetDate = strTargetDate & strHour

  strMinute = intMinute
  If Len(strMinute ) = 1 Then
    strMinute  = "0" & strMinute
  End If

  strTargetDate = strTargetDate & strMinute


  strSecond = intSecond
  If Len(strSecond ) = 1 Then
  strSecond  = "0" & strSecond
  End If

  GetUTC = strTargetDate & strSecond & ".00000+000"

End Function

Created on Feb 11, 2011 10:45:45 AM by  Daniel Zobel [Product Manager]

Last change on May 24, 2011 2:05:52 PM by  Stefan Telser [Paessler Support] (50) 2 1



Votes:

0

This looks very complicated. I just want to exclude several events ID, but I do not really understand, how to use this solution to monitor remote Event Log (application).

I see - more people are asking for this. Can You please add some simple example - how to exclude selected events. Example.: https://kb.paessler.com/knowledgebase/en/topic/24163-wmi-event-log-sensor-exclusions

Created on Nov 24, 2012 9:18:35 PM



Votes:

0

The problem is, WQL, underlying each WMI Sensor, is not 'designed' to work with exclusions. So to get this done, things get complicated. Sorry.

Created on Nov 26, 2012 2:20:40 PM by  Torsten Lindner [Paessler Support]



Votes:

0

The WQL can get all the events from server. Then - they can be filtered in the sensor by PRTG. Same like Free disk space. It is get from the server and PRTG make comparing to selected warning/error levels by self. The Disk sensors are working perfectly - even the graphs.

  • Event sensors does not work as needed*: - Events does not have exceptions (e.g. some events should be ignored even if source classify them as Error) - the sensor does not change the status (e.g. it can be like Warning when in last 24 hours there was some warning detected in events) - the graph does not show anything (e.g. when there is one event in 24 hours - I can't see any change in the graph)

Created on Dec 12, 2012 7:35:56 AM



Votes:

0

"The WQL can get all the events from server. ", well, exactly that is not possible in an efficient manor. We don't think users would be happy with Eventlogsensors having runtimes of 10 minutes or more. If you need special features on the Eventlogsensor, the script noted above, adapted to your needs, is the way to go.

Created on Dec 12, 2012 12:04:15 PM by  Torsten Lindner [Paessler Support]

Last change on Dec 12, 2012 12:05:19 PM by  Torsten Lindner [Paessler Support]




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.