Hello,
How can we monitor Windows Server 2008 R2 Windows Backup events with PRTG?
Votes:
25 Replies
Votes:
Created on Dec 9, 2011 3:19:27 PM
Last change on Sep 24, 2013 3:32:46 PM by
Gerald Schoch [Paessler Support]
Votes:
Hello,
yes we have but the information event which informs whether the backup is successfull or failed is a custom type of log located in Microsoft-Windows-Backup and we can see no option of getting to that within this sensor.
Votes:
Hi Mike,
In the "customs sensor\exe" folder of your PRTG installation create a new file named "backupstatus.bat" and paste the following code:
@echo off if .%1%==. goto NoParameter cd %1% for /F %%I in ('dir *.log /B /O:-D') do copy %%I c:\temp\temp.log > nul & goto end :end find /i "error" c:\temp\temp.log > nul if %errorlevel% EQU 0 goto Found goto NotFound :Found echo "Backup has errors" exit 2 :NotFound echo "Backup has no errors" exit 0 :NoParameter echo You need to supply a folder name exit 2
The sensor will copy the oldest .log file in the given (parameter) folder and copy it to c:\temp\temp.log. Next this copied file is checked for the occurrence of the text "error" and an appropriate message is send to PRTG.
Note: it is assumed that the sensor runs on the machine (probe) that hosts the backup .log files
This code is provided "as is", please feel free to make any changes.
Regards,
Votes:
Hello and thanks for that,
the log files have a *.evtx extension. Just to remind that I am talking about the built in Windows Server Backup.
Additionally, if a backup has failed once, wouldnt the report always show there is an error?
Thanks
Votes:
Hi Mike,
Does every backup job produce its own .evtx file (in the same folder) or does the backup append its information to an existing .evtx file?
What information is written (key words) to the file if a job fails?
Aditionally, can you send me a .evtx file? My email address can be found here in the left pane under "send an email"
Regards,
Votes:
the evtx files are standard Windows Event log files. They look and feel just like the Application, System etc logs and are shown in Windows Server 2008 event log by default. I dont think WMI can pull those out but Powershell's get-event can.
http://technet.microsoft.com/en-us/library/cc734488%28WS.10%29.aspx
Votes:
This is now possible with new Custom Sensor PTF.EventlogReader.
This sensor gets the value of the most recent entry for the given eventlog and source, taking the following parameters:
-c= The ip-address or hostname of the computer hosting the eventlog. -e= The name of the eventlog. -s= The name of the eventlog source. -u= Optional, Domain\Username of a user account that can access the (remote) eventlog. -p= Optional, Password or PassHash * of a user account that can access the (remote) eventlog. -m= Optional, the maximum time in minutes a result is allowed to be old. default = 1 day (1440 minutes)
PTF.EventlogReader returns the event ID and message for the found log entry.
The sensor can be downloaded from this page.
Created on Dec 15, 2011 1:18:05 PM
Last change on Sep 24, 2013 3:35:13 PM by
Gerald Schoch [Paessler Support]
Votes:
Hi,
Can someone provide some additional information on how to interpret the results for this sensor? I've used -e=Application -s=Windows-Server-Backup and have had a successful return of error code 0, which I'm assuming represents a successful backup. However, if this comes back with an error code that represents a failure, will the sensor still not show as green?
Votes:
Hi,
When using with Windows Backup, the source should be 'backup'
-s=backup
According to http://technet.microsoft.com/en-us/library/cc734488%28WS.10%29.aspx a successful backup should return a 4.
When the sensor returns a 0, it also returns a text message like 'No matching entry found' it is up to you to decide if this should be treated as an error by setting limits in the sensors channel tab.
Also keep in mind that only entries for the last 24 hours are evaluated if the –m parameter is omitted.
Using the sensor with Windows Backup, I guess all values bigger or smaller than 4 should be set to put the sensor into an error state. For other event log entries it might be a good thing if no entry is found in the last xx minutes, so that’s why value 0 does not automatically sets the sensor into an error state.
Regards,
Votes:
Hi and thanks for the quick reply.
That's exactly what I'm getting a 0 code and the message 'No matching entry found'. I have changed the -s parameter to backup and the sensor still works however it still returns the same 0 code.
I know that the event ID in Event Viewer for a successful backup is 4, is this what the PRTG sensor should be picking up?
If possible could you post a complete example of the command line parameters needed to get this sensor to return the correct code so that I can alert when the condition changed from 4?
Many thanks!
Votes:
I've run eventlogreader.exe from the command line on the probe using the parameters I have set in the console and piped the results out to a text file. This contains the message "Requested registry access is not allowed.".
Is there a way to set the permissions so that the probe can access what it needs to in order to return the correct error codes which are shwing in the event viewer logs.
Many thanks!
Votes:
Hi,
Both issues are now fixed in version 9.0.2 of the sensor. The new version also includes a .msg file. Please see Why do I need the EventlogReader.msg file for more explanation.
(The original post is also updated stating this)
Regards,
Votes:
Hi, I'm trying to get this work and failing. I've run with the -l command and only get: EventlogReader.exe -l Application,Hardware Events,Internet Explorer,Key Management Service,Security,Sy stem,Windows PowerShell Looking in here it looks like it should be -e=Microsoft-Windows-Backup -s=Backup but all I get is that it can't find Microsoft-Windows-Backup I've tried putting e= as application, but still can't get anything out of it. This is a 2008 R1, not R2, server. Any ideas?
Votes:
Hi Vincent,
The -l parameter produces a list of event log names of which you can pick one for the -e parameter.
The -e parameter is used to supply the even log name and the -s parameter to supply the event log source.
In your case something like
-e=application -s=backup
Or
-e=application -s=Microsoft-Windows-Backup
wil do the trick.
Regards,
Votes:
Hi, I'm gettiing "no matching event log" errors using either of those parameters. This is not correct as I have generated a couple of good backups and some faults to test with. As mhailstones states, all the details are in a separate log file and its this log file I need to examine - using -l showed the logs I can examine, but the Microsoft-Windows-Backup is not on the list
Votes:
Hi Vincent,
Please take a look at the ListQueues tool. It has an option to list Eventlog entries. Select Application as eventlog name and look how the entries are reported. Next use the eventlog and source name for your sensor.
Regards,
Votes:
The event is want to monitor does niet have the name application but microsoft-windows-backup, but when i use -e=microsoft-windows-backup it reports back that it cannont find a eventlog named like that.
when i use -e=application i only see the 754 event id but not the event id 4.
this is the parameter i used: -e=application -s=backup -l=information -t=4
Votes:
With PRTG, you can also monitor backup jobs via email. This is an alternative approach to monitoring backups using Windows event log. For details, please see the article Monitoring Backup Solutions via Email.
Votes:
Well You may try this approach with a litte Powershell and WinRM. The Requirements are described in the Script below. Its just a dirty little hack using the WinRM, and WindowsBackup Scripting feature. Use this as a custom/ScriptSensor/XML. It will return two values: The String, with the date the last successfull backup was executed as text message and an the integer status value of the last backup. ("0" menas no error, all ohter do) as channel-data. Pleas note that the sdript is running with the credentials with witch the probe operates, so that account must have the apropriate rights für WinRM. Feel free to use or modify:
# Test and Demo PowerShell Custom Sensor for PRTG # Just a dirty hack using Powershell # Requires: # + PowerShell on the local probe # + enabled WinRM on target hosts # + WindowsBackup scripting feature on the local probe # + WindowsBackup scripting feature on target system # # Required Parameters: # + %device # The cretentials being used are the ones with witch the script is invoked (usually the account under which the probe is running). # This account need the approiate permissions on the target hosts. # # Set Limits for channel to 0.5 to get OK for "0" and error for all others. # # Written and Cpoyright by: Andreas Hümmer <[email protected]> # Elaxy BSS GmbH & Co KG # # # Version # 08.03.2014 V 0.1 initial release # $DEVICE=$args[0] $BackupStatus = Invoke-Command -Computername $DEVICE -ScriptBlock { add-Pssnapin Windows.serverbackup; Get-WBSummary } "<prtg>" "<Text>" echo $BackupStatus|Select-Object -ExpandProperty PSComputerName ## write-host " Last Backup: " -NoNewLine ## echo $BackupStatus|Select-Object -ExpandProperty LastBackupTime write-host "Last successfull Backup: " -NoNewLine echo $BackupStatus|Select-Object -ExpandProperty LastSuccessfulBackupTime ## write-host "Next Backup: " -NoNewLine ## echo $BackupStatus|Select-Object -ExpandProperty NextBackupTime "</Text>" "<result>" "<channel>" "BackupStatus" "</channel>" "<value>" echo $BackupStatus|Select-Object -ExpandProperty LastBackupResultHR "</value>" "<FLOAT>0</FLOAT>" "<CustomUnit>Status</CustomUnit>" "</result>" "</prtg>"
Votes:
Where the EventLog sensor can only handle Administrative event logs, the new EventLogXML sensor also handles Operational event logs.
This EventLogXML sensor gets the value of the most recent event log entry for the given eventlog source file. Eventlog source files (*.evtx) are typically located in the "C:\Windows\System32\winevt\Logs" folder.
For Windows Backup a lookup file is included that can be used to report the status in a clear message.
Parameters:
-f= The full path of the eventlog (.evtx) file. -s= The name of the eventlog source. -u= Optional, Domain\Username of a user account that can access the folder containing the eventlog. -p= Optional, Password or PassHash * of a user account that can access the folder containing the eventlog. -m= Optional, The maximum time in minutes a result is allowed to be old. default = 1 day (1440 minutes) -l= Optional, Comma separated list of entry levels to report on.
Votes:
Do you know if it is possible to monitor multiple servers using the Eventlogreader XML?
I have tried adding to multiple devices however it seems to just read the logs on the Probe device. I have also added the UNC path to the servers logs but returns "No matching entry found for the last xxx".
The original Evenlogreader that couldnt monitor Operational logs used to allow you to specify the IP or hostname of the computer you want to monitor.
I have 4 servers i need to monitor for Windows backups.
Cheers Allister
Votes:
Hi aperrin,
Unfortunately the eventlog .evtx files can only be read (opened) by the local OS. A workaround would be to install Remote Probes on the servers in case.
Votes:
Where to you add the lookup file, event id or level?
The reason i ask is if you put it on event ID then most of the time the last event id is 14 - The backup operation has completed. So you never get the event id before it which is 4 - The backup operation has finished successfully. or the failures. This means the lookup files cannot read that event id and you dont know if it passed or failed.
Regards Allister
Votes:
I have the same question. The Eventlogreader XML sensor can only get the last event id, but Windows Server Backup on Windows Server 2012 register 2 different events at the same time ID=4 The backup operation has finished successfully and ID=14 The backup operation has completed (it could be finished with failure). And Eventlogreader XML returns the last event ID=14 So how can I get the event ID before ID=14?
©2024 Paessler AG Terms & Conditions Privacy Policy Legal Notice Download & Install
Add comment