Check Eventlog for specific IDs

Hello,

thank you very much for your KB-Post. I'm very much afraid we actually do not recommend to run Event Log sensors with such long scanning intervals, because usually then they are not able to gather all events since the last scan. The queries for these checks then have very high run-times, which could cause false results.
The recommendation is to use a "normal" scanning interval of 5-15 minutes, and then use Change Triggers on the Event Log Sensors to notify when Events are found.

best regards.

If you "known" what Events you aer looking for, why not adding a Entry in the Windows Task planer with that Event as trigger to start an action. Or do you simply want to "Count" the Event and show the counter in PRTG.

An other Option: Have a look at Tools like NTSYSLOG or NXLOG to query eventlog and Forward message as syslog or SNMP Trap

http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html#im_mseventlog

Frank

Hi Torsten, hi Frank,

thanks for your quick reply. As I just want to count "know" etries I will prefer to increase the scanning interval to 15 minutes. If I didn't come around with that I will have a look on nxlog. I will let you know my results here.

Hi Torsten,

it's strange, some sensors work others not. Here is my configuration: Sensor Type: Windows API Eventlog Log File: Application Event Type: Any Match String: Backup Exec Match Values: 34113,34114,57348,34338,58057,57751,58053,65314 Primary Channel: New Records (#/s) Scanning Interval: 5 Minutes

For the New Records I've defined limits: Upper Error Limit: 0.000001

All of my sensors are configured the same way, some fires an send an email because the limit is exceeded and other don't do anything.

Is anything wrong in my configuration?

Ok, let's do this step by step to find the exact problem.

Please take a look at the sensor that does not send the notification. As soon as one step is "not working", you won't need to continue any further

1. Does the sensor show the correct values?
2. is the limit configured correctly?
3. does the sensor state chance accordingly to the limit? (Please see the sensors "Log" tab for recent states)
4. is the notification configured correctly?
5. Can you find a line in the log that shows, that the trigger was activated?

As soon as we can figure out which step fails, we can continue searching for the problem.

You are right, I get stuck on step 1 I have a sensor that displays 0.000000 #/s although there was an entry in the eventlog at measurement time.

Just for testing I removed the Filter by source - maybe the space in "Backup Exec" could make troubles?

This may be the case and if you want to test it, the best way would be to use the command line to simulate error statuses. You can do this with the command below. Using this, try out different combinations of event logs and let me know what you find.

eventcreate /ID 1 /L APPLICATION /T INFORMATION /SO MYEVENTSOURCE /D "My first log"

This will create a new event source named "MYEVENTSOURCE" under APPLICATION event log as INFORMATION event type. Please change this information to match your filter and let me know if you get it working.

OK, did it like you mentioned and got wondrous results.

1) I created the log entry (ID 1 with source MYEVENTSOURCE)

2) I've configured the sensor to watch only ID 1, rest is left default Result: Measurements are correct!

3) I've configured another filter in addition: Filter by source: MYEVENTSOURCE and created some more entries in the eventlog Result: 0

4) I set Filter by source to OFF and created again some entries in the eventlog (now I've expected to have the same setup as in point 2 Result: Again 0

4a) I've removed the string MYEVENTSOURCE from the input filed an turned Filter by source again to OFF and created some entries as usual Result: Measurements are correct!

5) I've configured the sensor to watch on ID's 1,2

6) I've created some entries with ID 1 and 2

Result: 0

My conclusion:

1) Just turning off Filter by source does not turn it off as expected

2) 1,2 as filter by ID won't work as expected

I'm using version 13.2.3.2285+ and updates are pending - should I update to the recent version? Or do you have other ideas?

My reply from december is still pending?

I tested this out and am having a similar issue with a new version. We will test this out and report back here what the results are. Sorry for the wait, I think the old notification about the last post got lost somewhere.

We found something of a bug with the event log itself. The issue seems that the event log does not always save the correct information for the fields and can sometimes change the string that is used for source for example. To make sure that the filter fields are using the correct string, please check the raw XML that you can see by looking at the event in the event log and then going to details and XML view. Please check that the strings there match what you are looking for.

You may be right but I don't have troubles matching the source string.

a) The sensor won't work when many ID's are specified --> I got rid of this because I changed to watch on Event Type Error with a match string and not on ID's

b) The config above has also a little strange behaviour but it's not impossible that I made something wrong in the configuration: To begin from scratch:

1) Create a Win API Eventlog sensor

• Log File: Application
• Event Type: Error
• Filter by Source: On (Backup Exec)
• All other left Off
• Primary Channel: New Records
• Scanning Interval: 5 minutes

2) Channel Settings

• Display values in #/s
• Upper Error Level limit (#/s): 0.001

3) Notifications with Object Triggers: When sensor is Down for at least 1 seconds perform Email to Admin

The sensor is able to get the right event entries because ist saves the last message where I can see it. But the sensor does not count the found Event. Under New Records every entry has 0.000#. I would expect at least a Record speed of 0.001#/s - or am I wrong?

I just tested out your setup and was able to get the sensor to give me a number of "0.00333333333333333" for a single record in a 5 minute scanning interval. Have you tried to create multiple events with this source with the command from above to see if generating more of them will yield some kind of number?

Also, if you are using the source for your filter, make sure that you copy that from the field <Provider Name="This is the Source" /> from the XML view of the error log like I mentioned above since the issue we have seen before is with filters on the same source that you mention. If this still doesn't work, please submit a ticket to [email protected] mentioning this KB.

Lastly, make sure you are running the most current stable version before submitting the ticket.