This article applies to PRTG Network Monitor 19 or later

Event log sensors: Setting correct status and source filter

PRTG includes two types of sensors for Windows event log monitoring: The WMI Event Log sensor monitors a specific Windows logfile via Windows Management Instrumentation (WMI). The Event Log (Windows API) sensor uses the Windows Application Interface (Windows API) to monitor event log entries. In the particular sensor settings, you can define filters for specific event log entries.
One way to find out filterable values is to view the Event Viewer of Windows: Open the Command Prompt on your system and enter eventvwr. This will open the event viewer.
For these sensors to show a desired status for certain event log entries, you have to define filters via the channel settings.

Defining a Down status for specific events

You can easily set up the sensor to change to a desired status when a specific event occurs. For example, if you filter for Error as Event Type, you might want the sensor to change to a Down status as soon as one log entry is of this type.

Click to enlarge.

After creating a corresponding filter in the sensor settings that only analyzes specific events (in this example, only the event type Error), follow these steps:

1. Open the settings of the sensor’s default primary channel New Records.
2. In the Edit Channel dialog, click Enable alerting based on limits.
3. Enter 0,0001 in the Upper Error Limit (#/s) field.

Click to enlarge.

If at least one log entry is of the type Error, the sensor will change to a Down status, indicating that an error occurred. Of course, you can use other and/or more filters and individually define sensor states that apply if one log entry matches this filter.

This status will persist one scanning interval. If the filter does not match in the following scanning interval, the sensor will change to an Up status again. Create a State Trigger on the Notifications tab of the sensor with a corresponding notification to be sure that you do not miss any uncommon event log entry.

Filtering for the correct source

If you filter for a specific source (for example, you use Backup in the Match String (Event Source) field of your sensor) but encounter the problem that the sensor never reacts to an event from this source, there might be an issue with the name of the value. It can be the case that the value in your event viewer does not correspond to the value that is really given in the event.

You can check this by storing the sensor results to disk and testing the executed WMI query with the WMI Tester. Follow the steps below:

1. In the settings of the WMI Event Log sensor, select the option Write sensor result to disk. (This setting is currently not available for the Event Log (Windows API) sensor.)
2. Perform an immediate sensor scan by clicking Check Now in the sensor’s context menu.
3. Open the file Result of Sensor [ID].txt in the \Logs\sensors subfolder of the PRTG program directory on the system the probe is running on. You will now see the WMI queries as generated by this sensor.
4. Test the latest query with the WMI Tester. If you do not get any results on your system, the queried source value might be different from the value as given in the event itself. Use the WMI Tester to find out which value is really deposited at the time stamp you see in the sensor result file:
5. In the executed query in the sensor result, look for the parameter TimeGenerated and copy its value.
6. Execute the following command with the WMI Tester and paste the copied time stamp: SELECT * FROM Win32_NTLogEvent WHERE Logfile ='Application' AND TimeGenerated > ‘copied_timestamp’ Note: Adjust the value for the Logfile parameter to the one that you have set in the sensor settings.
7. Analyze which source value is really deposited in the events and can be used for your purposes. For example, the source Backup, as it is called in the event viewer, could be MS-Windows-Backup instead.
   • Alternative: On the Details tab of an event log entry in the event viewer, select the XML view and use the value from the <Provider Name> tag.
8. Check if the value of the source that you have found out works with the WMI Tester. If yes, provide this value in the Event Source field in the sensor settings. Your Event Log sensor, no matter if you use WMI or the Windows API, will now read the correct event sources and change to your desired status.

More

• How can I configure speed triggers to keep the status for more than one scanning interval?