New Question

What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

My Event Log sensor ignores changes in the event log. What can I do?

Votes:

0

Your Vote:

Up

Down

I created several Event Log sensors, some work via Windows API and some via WMI. When I filter for the Event Type Error and for the Event Source Backup like I see it in the Windows event viewer, the sensors just do not react to this entry when appearing in the event log. The sensors do not change at all, even though they should show the Down status.

Why do my Event Log sensors ignore error log entries and stay in the Up status? How can I make these sensor types to consider new log entries and switch to the corresponding status?

event-log event-viewer eventlog eventlog-api eventlog-wmi events prtg sensor

Created on Jan 27, 2014 1:45:45 PM by Gerald Schoch [Paessler Support]

Last change on Jan 4, 2023 11:49:14 AM by Brandy Greger [Paessler Support]



7 Replies

Accepted Answer

Votes:

0

Your Vote:

Up

Down

This article applies as of PRTG 22

Event log sensors: Setting correct status and source filter

PRTG comes with two types of sensors for Windows event log monitoring:

  • The WMI Event Log sensor monitors a specific Windows log file via Windows Management Instrumentation (WMI).
  • The Event Log (Windows API) sensor uses the Windows Application Interface (Windows API) to monitor event log entries.

To make these sensors show a desired status for certain event log entries, you must define filters via channel settings.

How to define the Down status for specific events

You can easily set up the sensor to change to a desired status when a specific event occurs. For example, if you filter for Error as Event Type, you might want the sensor to change to the Down status as soon as one log entry is of this type.


Click to enlarge.

After you created a corresponding filter in the sensor settings that only analyzes specific events, follow these steps:

  1. Open the settings of the sensor’s default primary channel New Records.
  2. In the Edit Channel dialog, click Enable alerting based on limits.
  3. Enter 0,0001 in the Upper Error Limit (#/s) field.

Upper error limit
Click to enlarge.

If at least one log entry is of the type Error, the sensor changes to the Down status. You can use other and/or more filters and individually define sensor states that apply if one log entry matches this filter.

This status persists for one scanning interval. If the filter does not match in the following scanning interval, the sensor changes to the Up status again. Create a State Trigger on the Notifications tab of the sensor with a corresponding notification to make sure that you do not miss any uncommon event log entry.

How to filter for the correct source

When you filter for a specific source (for example, you use Backup in the Match String (Event Source) field of your sensor), the sensor sometimes does not react to an event from this source. In this case, the value in the event viewer probably does not correspond to the value that is really given in the event.

You can check this by storing the sensor results to disk and testing the executed WMI query with WMI Tester. Follow the steps below:

  1. In the settings of the WMI Event Log sensor, select the option Store result. (This setting is currently not available for the Event Log (Windows API) sensor.)
  2. Perform an immediate sensor scan: click Scan Now in the sensor’s context menu.
  3. Open the file Result of Sensor [ID].txt in the \Logs\sensors subfolder of the PRTG program directory on the probe system. You then see the WMI queries as generated by this sensor.
  4. Test the latest query with WMI Tester. If you do not get any results on your system, the queried source value might be different from the value in the event itself. Use WMI Tester to find out which value is really deposited at the time stamp that you see in the sensor result file:
  5. In the executed query in the sensor result, look for the parameter TimeGenerated and copy its value.
  6. Execute the following command with WMI Tester and paste the copied time stamp: SELECT * FROM Win32_NTLogEvent WHERE Logfile ='Application' AND TimeGenerated > ‘copied_timestamp’ Note: Adjust the value for the Logfile parameter to the one that you have set in the sensor settings.
  7. Analyze what source value is really deposited in the events and can be used for your purposes. For example, the source Backup, as it is called in the event viewer, could be MS-Windows-Backup instead.
    • Alternative: On the Details tab of an event log entry in the event viewer, select the XML view and use the value from the <Provider Name> tag.
  8. Check if the value of the source that you have found out works with WMI Tester. If yes, provide this value in the (Match String) Event Source field in the sensor settings. Your Event Log sensor, no matter if you use WMI or the Windows API, now reads the correct event sources and changes to the correct status.

More

Created on Jan 27, 2014 2:02:34 PM by Gerald Schoch [Paessler Support]

Last change on Jan 4, 2023 11:49:54 AM by Brandy Greger [Paessler Support]



Votes:

0

Your Vote:

Up

Down

If I set Event Type to "Warning" will the sensor filter "Error" events too? Because I want to filter that events together

Created on Mar 13, 2018 5:16:38 AM by Palindrom (0)



Votes:

0

Your Vote:

Up

Down

Hello Palindrom,

Thank you very much for your contact.

The sensor will only monitor the selected Event Type. If you wish to monitor Errors and Warning, you'll need to create two sensors for it.

Best regards,
Sebastian

Created on Mar 13, 2018 1:44:35 PM by Sebastian Kniege [Paessler Support]



Votes:

0

Your Vote:

Up

Down

"One sensor type monitors a specific Windows log file via Windows Management Instrumentation (WMI); the other one uses the Windows Application Interface (Windows API) to monitor event log entries. In the particular sensor settings, you can define filters for specific event log entries."

Why does the sensor count event per second? Who is interested about that information? I personaly would simply know how many event occured.

I used the wmieventlogsensor and I filtered Application log and Event ID: 15006. I am therefore expecting that the sensor retrieve only these events.... which is not the case. Is this because the WMI sensor as decribed in your description retrieve all "application logs" ?? Even if we use a filter ?

Thank you

Created on Mar 20, 2018 3:54:53 PM by Yann (310) 1 1



Votes:

0

Your Vote:

Up

Down

Then the following might be for you: How Can I Monitor My Historic Windows Events. Also check out our Guide For PowerShell Based Custom Sensors.

Kind regards,
Stephan Linke, Tech Support Team

Created on Mar 21, 2018 9:13:26 AM by Stephan Linke [Paessler Support]



Votes:

0

Your Vote:

Up

Down

I spent so much time trying your default sensors and not getting what I expect and need, again, it appears that I should use my or a custom script :-( I still don't understand how it really works. Why is this filter not applied?

Created on Mar 22, 2018 12:30:52 PM by Yann (310) 1 1



Votes:

0

Your Vote:

Up

Down

What filter settings are you actually using and what are you expecting in return?

Kind regards,
Stephan Linke, Tech Support Team

Created on Mar 22, 2018 1:30:11 PM by Stephan Linke [Paessler Support]

Last change on Mar 22, 2018 1:30:18 PM by Stephan Linke [Paessler Support]



Please log in or register to enter your reply.


Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.