This article applies to PRTG Network Monitor 13 or later

Event Log Sensors: Setting Correct Status and Source Filter

PRTG includes two types of sensors for Windows event log monitoring out of the box: One sensor type monitors a specific Windows log file via Windows Management Instrumentation (WMI); the other one uses the Windows Application Interface (Windows API) to monitor event log entries. In the particular sensor settings, you can define filters for specific event log entries. One way to find out filterable values is to view Windows’ Event Viewer: Open the command line tool on your system and enter eventvwr which will open the event viewer.

In order to get these sensors into a desired status for certain event log entries, you have to define this via the channel settings.

Defining a Down Status for Specific Events

You can easily set up the sensor to switch into a desired status according to a specific event. For example, if you filter for the “Event Type” Error, you might want the sensor to go into a Down status as soon as one log entry is from this type.

Filtering for 'Errors' in the Source 'Backup'

After creating a corresponding filter in the sensor settings which only analyzes specific events (in this example only the event type “Error”), you can achieve this by conducting three steps:

1. Open the settings of the sensor’s default primary channel New Records.
2. Enable Limits in the corresponding section at the bottom of the settings dialog.
3. Enter 0,0001 in the Upper Error Limit (#/s) field.

If at least one log entry is from the type Error, the sensor will turn into a Down status, indicating that an error occurred. Of course, you can use other and/or more filters and individually define sensor states which apply if one log entry matches this filter.

Defining Upper Error Limit in Sensor Channel Settings

This status will persist one scanning interval. If the filter does not match in the following scanning interval, the sensor will switch to status Up again. Create a State Trigger on the Notifications tab of the sensor with a corresponding notification to be sure to not miss any uncommon event log entry!

Filtering for the Correct Source

If you filter for a specific source (for example, you use Backup in the Match String (Event Source) field of your sensor) but encounter the problem that the sensor never reacts to an event from this source, there might be an issue with the name of the value. It can be the case that the value in your event viewer does not correspond to the value that is really given in the event.

You can check this by storing the sensor results to disk and testing the executed WMI query with the WMI Tester. Please follow the steps below:

1. In the settings of the WMI Event Log Sensor, choose the option Write sensor result to disk. (This setting is currently not available for the Event Log (Windows API) sensor.)
2. Perform an immediate sensor scan by using Check Now in the sensor’s context menu.
3. Open the file Result of Sensor [ID].txt in the Logs (Sensors) subfolder of the PRTG program directory on the system the probe is running on. You will now see the WMI queries as generated by this sensor.
4. Test the latest query with the WMI Tester. If you do not get any results on your system, the queried source value might be different from the value as given in the event itself. Use the WMI Tester to find out which value is really deposited at the timestamp you see in the sensor result file:
5. In the executed query in the sensor result, look for the parameter TimeGenerated and copy its value.
6. Execute the following command with the WMI Tester and paste the copied timestamp: SELECT * FROM Win32_NTLogEvent WHERE Logfile ='Application' AND TimeGenerated > ‘copied_timestamp’ Note: Adjust the value for the Logfile parameter to that one which you have set in the sensor settings!
7. Analyze which source value is really deposited in the events to be qualified for your purposes. For example, the source Backup like it is called in the event viewer could be MS-Windows-Backup instead.
   1. Alternative: In the Details tab of an event log entry in the event viewer, choose the XML view and use the value in Event | System | Provider Name.
8. Check if the value of the source that you have found out works with the WMI Tester. If yes, provide this value in the Event Source field in the sensor settings. Your Event Log sensor, no matter if you use WMI or the Windows API, will now read the correct event sources and go into your desired status.

See Also

• How can I configure speed triggers to keep the status for more than one scanning interval?