What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

Windows Server Backup Event Log Sensor

Votes:

0

Hello,

How can we monitor Windows Server 2008 R2 Windows Backup events with PRTG?

backup custom eventlog windows wmi

Created on Dec 9, 2011 12:01:05 PM



25 Replies

Votes:

0

Hi Mike,

Have you already tried using the eventlog sensor?

Regards,

Created on Dec 9, 2011 3:19:27 PM

Last change on Sep 24, 2013 3:32:46 PM by  Gerald Schoch [Paessler Support]



Votes:

0

Hello,

yes we have but the information event which informs whether the backup is successfull or failed is a custom type of log located in Microsoft-Windows-Backup and we can see no option of getting to that within this sensor.

Created on Dec 12, 2011 10:07:28 AM



Votes:

0

Hi Mike,

In the "customs sensor\exe" folder of your PRTG installation create a new file named "backupstatus.bat" and paste the following code:

@echo off
if .%1%==. goto NoParameter

cd %1%
for /F %%I in ('dir *.log /B /O:-D') do copy %%I c:\temp\temp.log > nul & goto end
:end

find /i "error" c:\temp\temp.log > nul
if %errorlevel% EQU 0 goto Found
goto NotFound

:Found
echo "Backup has errors"
exit 2

:NotFound
echo "Backup has no errors"
exit 0

:NoParameter
echo You need to supply a folder name
exit 2

The sensor will copy the oldest .log file in the given (parameter) folder and copy it to c:\temp\temp.log. Next this copied file is checked for the occurrence of the text "error" and an appropriate message is send to PRTG.

Note: it is assumed that the sensor runs on the machine (probe) that hosts the backup .log files

This code is provided "as is", please feel free to make any changes.

Regards,

Created on Dec 12, 2011 3:01:59 PM



Votes:

0

Hello and thanks for that,

the log files have a *.evtx extension. Just to remind that I am talking about the built in Windows Server Backup.

Additionally, if a backup has failed once, wouldnt the report always show there is an error?

Thanks

Created on Dec 13, 2011 9:16:34 AM



Votes:

0

Hi Mike,

Does every backup job produce its own .evtx file (in the same folder) or does the backup append its information to an existing .evtx file?

What information is written (key words) to the file if a job fails?

Aditionally, can you send me a .evtx file? My email address can be found here in the left pane under "send an email"

Regards,

Created on Dec 13, 2011 3:04:33 PM



Votes:

0

the evtx files are standard Windows Event log files. They look and feel just like the Application, System etc logs and are shown in Windows Server 2008 event log by default. I dont think WMI can pull those out but Powershell's get-event can.

http://technet.microsoft.com/en-us/library/cc734488%28WS.10%29.aspx

Created on Dec 13, 2011 4:28:04 PM



Votes:

0

PTF.EventlogReader

This is now possible with new Custom Sensor PTF.EventlogReader.

This sensor gets the value of the most recent entry for the given eventlog and source, taking the following parameters:

-c=   The ip-address or hostname of the computer hosting the eventlog.
-e=   The name of the eventlog.
-s=   The name of the eventlog source.
-u=   Optional, Domain\Username of a user account that can access the (remote) eventlog.
-p=   Optional, Password or PassHash * of a user account that can access the (remote) eventlog.
-m=   Optional, the maximum time in minutes a result is allowed to be old.
      default = 1 day (1440 minutes)

PTF.EventlogReader returns the event ID and message for the found log entry.

The sensor can be downloaded from this page.

Created on Dec 15, 2011 1:18:05 PM

Last change on Sep 24, 2013 3:35:13 PM by  Gerald Schoch [Paessler Support]



Votes:

0

Thanks!!!

Created on Dec 15, 2011 2:47:07 PM



Votes:

0

Hi,

Can someone provide some additional information on how to interpret the results for this sensor? I've used -e=Application -s=Windows-Server-Backup and have had a successful return of error code 0, which I'm assuming represents a successful backup. However, if this comes back with an error code that represents a failure, will the sensor still not show as green?

Created on Dec 16, 2011 2:16:47 PM



Votes:

0

Hi,

When using with Windows Backup, the source should be 'backup'

-s=backup

According to http://technet.microsoft.com/en-us/library/cc734488%28WS.10%29.aspx a successful backup should return a 4.

When the sensor returns a 0, it also returns a text message like 'No matching entry found' it is up to you to decide if this should be treated as an error by setting limits in the sensors channel tab.

Also keep in mind that only entries for the last 24 hours are evaluated if the –m parameter is omitted.

Using the sensor with Windows Backup, I guess all values bigger or smaller than 4 should be set to put the sensor into an error state. For other event log entries it might be a good thing if no entry is found in the last xx minutes, so that’s why value 0 does not automatically sets the sensor into an error state.

Regards,

Created on Dec 16, 2011 2:51:02 PM



Votes:

0

Hi and thanks for the quick reply.

That's exactly what I'm getting a 0 code and the message 'No matching entry found'. I have changed the -s parameter to backup and the sensor still works however it still returns the same 0 code.

I know that the event ID in Event Viewer for a successful backup is 4, is this what the PRTG sensor should be picking up?

If possible could you post a complete example of the command line parameters needed to get this sensor to return the correct code so that I can alert when the condition changed from 4?

Many thanks!

Created on Dec 16, 2011 4:00:57 PM



Votes:

0

I've run eventlogreader.exe from the command line on the probe using the parameters I have set in the console and piped the results out to a text file. This contains the message "Requested registry access is not allowed.".

Is there a way to set the permissions so that the probe can access what it needs to in order to return the correct error codes which are shwing in the event viewer logs.

Many thanks!

Created on Dec 16, 2011 4:43:43 PM



Votes:

0

Hi,

Both issues are now fixed in version 9.0.2 of the sensor. The new version also includes a .msg file. Please see Why do I need the EventlogReader.msg file for more explanation.

(The original post is also updated stating this)

Regards,

Created on Dec 18, 2011 1:17:39 PM



Votes:

0

Hi, I'm trying to get this work and failing. I've run with the -l command and only get: EventlogReader.exe -l Application,Hardware Events,Internet Explorer,Key Management Service,Security,Sy stem,Windows PowerShell Looking in here it looks like it should be -e=Microsoft-Windows-Backup -s=Backup but all I get is that it can't find Microsoft-Windows-Backup I've tried putting e= as application, but still can't get anything out of it. This is a 2008 R1, not R2, server. Any ideas?

Created on Jun 15, 2012 11:02:37 AM



Votes:

0

Hi Vincent,

The -l parameter produces a list of event log names of which you can pick one for the -e parameter.

The -e parameter is used to supply the even log name and the -s parameter to supply the event log source.

In your case something like

-e=application -s=backup

Or

-e=application -s=Microsoft-Windows-Backup

wil do the trick.

Regards,

Created on Jun 15, 2012 12:42:22 PM



Votes:

0

Hi, I'm gettiing "no matching event log" errors using either of those parameters. This is not correct as I have generated a couple of good backups and some faults to test with. As mhailstones states, all the details are in a separate log file and its this log file I need to examine - using -l showed the logs I can examine, but the Microsoft-Windows-Backup is not on the list

Created on Jun 15, 2012 2:13:32 PM



Votes:

0

Hi Vincent,

Please take a look at the ListQueues tool. It has an option to list Eventlog entries. Select Application as eventlog name and look how the entries are reported. Next use the eventlog and source name for your sensor.

Regards,

Created on Jun 18, 2012 7:46:32 AM



Votes:

0

The event is want to monitor does niet have the name application but microsoft-windows-backup, but when i use -e=microsoft-windows-backup it reports back that it cannont find a eventlog named like that.

when i use -e=application i only see the 754 event id but not the event id 4.

this is the parameter i used: -e=application -s=backup -l=information -t=4

Created on Jul 31, 2012 12:05:59 PM



Votes:

0

With PRTG, you can also monitor backup jobs via email. This is an alternative approach to monitoring backups using Windows event log. For details, please see the article Monitoring Backup Solutions via Email.

Created on Mar 25, 2013 3:20:10 PM by  Gerald Schoch [Paessler Support]



Votes:

0

Well You may try this approach with a litte Powershell and WinRM. The Requirements are described in the Script below. Its just a dirty little hack using the WinRM, and WindowsBackup Scripting feature. Use this as a custom/ScriptSensor/XML. It will return two values: The String, with the date the last successfull backup was executed as text message and an the integer status value of the last backup. ("0" menas no error, all ohter do) as channel-data. Pleas note that the sdript is running with the credentials with witch the probe operates, so that account must have the apropriate rights für WinRM. Feel free to use or modify:

# Test and Demo PowerShell Custom Sensor for PRTG
# Just a dirty hack using Powershell
# Requires: 
# + PowerShell on the local probe
# + enabled WinRM on target hosts
# + WindowsBackup scripting feature on the local probe
# + WindowsBackup scripting feature on target system
# 
# Required Parameters:
# + %device 
# The cretentials being used are the ones with witch the script is invoked (usually the account under which the probe is running). 
# This account need the approiate permissions on the target hosts.
#
# Set Limits for channel to 0.5 to get OK for "0" and error for all others.
#
# Written and Cpoyright by: Andreas Hümmer <[email protected]> 
# Elaxy BSS GmbH & Co KG 
# 
#
# Version
#  08.03.2014   V 0.1  initial release
#
$DEVICE=$args[0]

$BackupStatus = Invoke-Command -Computername $DEVICE -ScriptBlock { add-Pssnapin Windows.serverbackup; Get-WBSummary }

"<prtg>"
    "<Text>"
       echo $BackupStatus|Select-Object -ExpandProperty PSComputerName
       ## write-host " Last Backup: " -NoNewLine
       ## echo $BackupStatus|Select-Object -ExpandProperty LastBackupTime
       write-host "Last successfull Backup: " -NoNewLine
       echo $BackupStatus|Select-Object -ExpandProperty LastSuccessfulBackupTime
       ## write-host "Next Backup: " -NoNewLine
       ## echo $BackupStatus|Select-Object -ExpandProperty NextBackupTime
    "</Text>"
    "<result>"
        "<channel>"
            "BackupStatus"
        "</channel>"
        "<value>"
            echo $BackupStatus|Select-Object -ExpandProperty LastBackupResultHR
        "</value>"
        "<FLOAT>0</FLOAT>"
        "<CustomUnit>Status</CustomUnit>"
    "</result>"
 "</prtg>"

Created on Mar 8, 2014 11:28:59 PM



Votes:

0

UPDATE

Where the EventLog sensor can only handle Administrative event logs, the new EventLogXML sensor also handles Operational event logs.

This EventLogXML sensor gets the value of the most recent event log entry for the given eventlog source file. Eventlog source files (*.evtx) are typically located in the "C:\Windows\System32\winevt\Logs" folder.

For Windows Backup a lookup file is included that can be used to report the status in a clear message.

Parameters:

-f= The full path of the eventlog (.evtx) file.
-s= The name of the eventlog source.
-u= Optional, Domain\Username of a user account that can access the folder containing the eventlog. 
-p= Optional, Password or PassHash * of a user account that can access the folder containing the eventlog. 
-m= Optional, The maximum time in minutes a result is allowed to be old.
    default = 1 day (1440 minutes) 
-l= Optional, Comma separated list of entry levels to report on.

Created on Jun 4, 2015 12:34:26 PM



Votes:

0

Do you know if it is possible to monitor multiple servers using the Eventlogreader XML?

I have tried adding to multiple devices however it seems to just read the logs on the Probe device. I have also added the UNC path to the servers logs but returns "No matching entry found for the last xxx".

The original Evenlogreader that couldnt monitor Operational logs used to allow you to specify the IP or hostname of the computer you want to monitor.

I have 4 servers i need to monitor for Windows backups.

Cheers Allister

Created on Oct 21, 2015 8:09:36 AM



Votes:

0

Hi aperrin,

Unfortunately the eventlog .evtx files can only be read (opened) by the local OS. A workaround would be to install Remote Probes on the servers in case.

Created on Oct 21, 2015 11:41:21 AM



Votes:

0

Where to you add the lookup file, event id or level?

The reason i ask is if you put it on event ID then most of the time the last event id is 14 - The backup operation has completed. So you never get the event id before it which is 4 - The backup operation has finished successfully. or the failures. This means the lookup files cannot read that event id and you dont know if it passed or failed.

Regards Allister

Created on Jan 20, 2016 5:41:27 PM



Votes:

0

I have the same question. The Eventlogreader XML sensor can only get the last event id, but Windows Server Backup on Windows Server 2012 register 2 different events at the same time ID=4 The backup operation has finished successfully and ID=14 The backup operation has completed (it could be finished with failure). And Eventlogreader XML returns the last event ID=14 So how can I get the event ID before ID=14?

Created on Mar 12, 2018 12:29:30 PM




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.