New Question
 

Back to www.paessler.com

 
PRTG Network Monitor

Intuitive to Use.
Easy to manage.

300.000 administrators have chosen PRTG to monitor their network. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free PRTG
Download >>
 

What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

 

Top Tags


View all Tags


My Event Log sensor ignores changes in the event log. What can I do?

Votes:

0

Your Vote:

Up

Down

I created several Event Log sensors, some work via Windows API and some via WMI. When I filter for the “Event Type” Error and for the “Event Source” Backup like I see it in the Windows event viewer, the sensors just do not react to this entry when appearing in the event log. The sensors do not change at all although they should show a Down status.

Why do my Event Log sensors ignore error log entries and stay in an Up status? How can I make these sensor types to consider new log entries and switch to the corresponding status?

event-log event-viewer eventlog eventlog-api eventlog-wmi events prtg sensor

Created on Jan 27, 2014 1:45:45 PM by Gerald Schoch [Paessler Support]

Last change on Jul 16, 2019 5:08:03 AM by Maike Guba [Paessler Support]



7 Replies

Accepted Answer

Votes:

0

Your Vote:

Up

Down

This article applies to PRTG Network Monitor 19 or later

Event log sensors: Setting correct status and source filter

PRTG includes two types of sensors for Windows event log monitoring: The WMI Event Log sensor monitors a specific Windows logfile via Windows Management Instrumentation (WMI). The Event Log (Windows API) sensor uses the Windows Application Interface (Windows API) to monitor event log entries. In the particular sensor settings, you can define filters for specific event log entries.
One way to find out filterable values is to view the Event Viewer of Windows: Open the Command Prompt on your system and enter eventvwr. This will open the event viewer.
For these sensors to show a desired status for certain event log entries, you have to define filters via the channel settings.

Defining a Down status for specific events

You can easily set up the sensor to change to a desired status when a specific event occurs. For example, if you filter for Error as Event Type, you might want the sensor to change to a Down status as soon as one log entry is of this type.


Click to enlarge.

After creating a corresponding filter in the sensor settings that only analyzes specific events (in this example, only the event type Error), follow these steps:

  1. Open the settings of the sensor’s default primary channel New Records.
  2. In the Edit Channel dialog, click Enable alerting based on limits.
  3. Enter 0,0001 in the Upper Error Limit (#/s) field.

Defining Upper Error Limit in Sensor Channel Settings
Click to enlarge.

If at least one log entry is of the type Error, the sensor will change to a Down status, indicating that an error occurred. Of course, you can use other and/or more filters and individually define sensor states that apply if one log entry matches this filter.

This status will persist one scanning interval. If the filter does not match in the following scanning interval, the sensor will change to an Up status again. Create a State Trigger on the Notifications tab of the sensor with a corresponding notification to be sure that you do not miss any uncommon event log entry.

Filtering for the correct source

If you filter for a specific source (for example, you use Backup in the Match String (Event Source) field of your sensor) but encounter the problem that the sensor never reacts to an event from this source, there might be an issue with the name of the value. It can be the case that the value in your event viewer does not correspond to the value that is really given in the event.

You can check this by storing the sensor results to disk and testing the executed WMI query with the WMI Tester. Follow the steps below:

  1. In the settings of the WMI Event Log sensor, select the option Write sensor result to disk. (This setting is currently not available for the Event Log (Windows API) sensor.)
  2. Perform an immediate sensor scan by clicking Check Now in the sensor’s context menu.
  3. Open the file Result of Sensor [ID].txt in the \Logs\sensors subfolder of the PRTG program directory on the system the probe is running on. You will now see the WMI queries as generated by this sensor.
  4. Test the latest query with the WMI Tester. If you do not get any results on your system, the queried source value might be different from the value as given in the event itself. Use the WMI Tester to find out which value is really deposited at the time stamp you see in the sensor result file:
  5. In the executed query in the sensor result, look for the parameter TimeGenerated and copy its value.
  6. Execute the following command with the WMI Tester and paste the copied time stamp: SELECT * FROM Win32_NTLogEvent WHERE Logfile ='Application' AND TimeGenerated > ‘copied_timestamp’ Note: Adjust the value for the Logfile parameter to the one that you have set in the sensor settings.
  7. Analyze which source value is really deposited in the events and can be used for your purposes. For example, the source Backup, as it is called in the event viewer, could be MS-Windows-Backup instead.
    • Alternative: On the Details tab of an event log entry in the event viewer, select the XML view and use the value from the <Provider Name> tag.
  8. Check if the value of the source that you have found out works with the WMI Tester. If yes, provide this value in the Event Source field in the sensor settings. Your Event Log sensor, no matter if you use WMI or the Windows API, will now read the correct event sources and change to your desired status.

More

Created on Jan 27, 2014 2:02:34 PM by Gerald Schoch [Paessler Support]

Last change on Dec 10, 2020 8:45:38 AM by Brandy Greger [Paessler Support]



Votes:

0

Your Vote:

Up

Down

If I set Event Type to "Warning" will the sensor filter "Error" events too? Because I want to filter that events together

Created on Mar 13, 2018 5:16:38 AM by Palindrom (0)



Votes:

0

Your Vote:

Up

Down

Hello Palindrom,

Thank you very much for your contact.

The sensor will only monitor the selected Event Type. If you wish to monitor Errors and Warning, you'll need to create two sensors for it.

Best regards,
Sebastian

Created on Mar 13, 2018 1:44:35 PM by Sebastian Kniege [Paessler Support]



Votes:

0

Your Vote:

Up

Down

"One sensor type monitors a specific Windows log file via Windows Management Instrumentation (WMI); the other one uses the Windows Application Interface (Windows API) to monitor event log entries. In the particular sensor settings, you can define filters for specific event log entries."

Why does the sensor count event per second? Who is interested about that information? I personaly would simply know how many event occured.

I used the wmieventlogsensor and I filtered Application log and Event ID: 15006. I am therefore expecting that the sensor retrieve only these events.... which is not the case. Is this because the WMI sensor as decribed in your description retrieve all "application logs" ?? Even if we use a filter ?

Thank you

Created on Mar 20, 2018 3:54:53 PM by Yann (300) 1 1



Votes:

0

Your Vote:

Up

Down

Then the following might be for you: How Can I Monitor My Historic Windows Events. Also check out our Guide For PowerShell Based Custom Sensors.

Kind regards,
Stephan Linke, Tech Support Team

Created on Mar 21, 2018 9:13:26 AM by Stephan Linke [Paessler Support]



Votes:

0

Your Vote:

Up

Down

I spent so much time trying your default sensors and not getting what I expect and need, again, it appears that I should use my or a custom script :-( I still don't understand how it really works. Why is this filter not applied?

Created on Mar 22, 2018 12:30:52 PM by Yann (300) 1 1



Votes:

0

Your Vote:

Up

Down

What filter settings are you actually using and what are you expecting in return?

Kind regards,
Stephan Linke, Tech Support Team

Created on Mar 22, 2018 1:30:11 PM by Stephan Linke [Paessler Support]

Last change on Mar 22, 2018 1:30:18 PM by Stephan Linke [Paessler Support]



Please log in or register to enter your reply.


Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.