New Question
 
 
PRTG Network Monitor

Intuitive to Use.
Easy to manage.

200.000 administrators have chosen PRTG to monitor their network. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free PRTG
Download >>

 

What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

 

Top Tags


View all Tags


How can I monitor my historic windows events?

Votes:

1

Your Vote:

Up

Down

I know that there's a sensor for the event log, but I want to know how many messages appeared in the last few hours and be alerted if a certain amount is reached. Additionally, I want to get the results from a Log that is not listed in the WMI EventLog sensor.

You guys have a solution for that?

custom-script-exe custom-sensor eventlog powershell wmi

Created on Nov 28, 2014 9:31:33 AM by  Stephan Linke [Paessler Support]

Last change on Mar 19, 2015 3:44:29 PM by  Martina Wittmann [Paessler Support]



27 Replies

Accepted Answer

Votes:

4

Your Vote:

Up

Down

The following sensor will search multiple event logs from multiple providers. You can search for IDs and the message text. Make sure you read the synopsis of the sensor to get an idea of what the specific parameters do. Please use the following script with an EXE/Script sensor:

#___ ___ _____ ___
#| _ \ _ \_   _/ __|
#|  _/   / | || (_ |
#|_| |_|_\ |_| \___|
#    NETWORK MONITOR
#-------------------
#(c) 2015 Stephan Linke, Paessler AG
#
# Name: PRTG-Get-WinEvents
# Description: Reads the windows eventlog and filters for the specific events
# 
# Version History
# ----------------------------
# Version Date        Description 
# 1.1     07/12/2016  [Fixed] If only one event existed, the sensor showed no events
# 1.0     19/05/2014  Initial Release 
<#
   .SYNOPSIS
   Reads the windows eventlog and filters for the specified events.
   .DESCRIPTION
   This custom sensor for PRTG will read the given EventLog file and search it
   for the defined events. It also allows to error if the last event found has a certain ID or
   Message.
   .PARAMETER ComputerName
   The computer whose event log you want to check
   .PARAMETER Channel
   The log name that is used by the application 
   .PARAMETER ProviderName
   The application that you want to watch
   .PARAMETER EventID
   The event IDs you want to filter. Seperate multiple IDs with comma
   .PARAMETER WarningEvents
   The event IDs you want to raise a warning when found. Those IDs also have to be included in the event ids
   .PARAMETER ErrorEvents
   The event IDs you want to raise a error when found. Those IDs also have to be included in the event ids
   .Parameter Levels
   The Loglevels you want to include in the search
   .PARAMETER MaxAge
   The age of the Logfile in hours
   .PARAMETER LimitEntries
   Maximum number of log entries to be checked (order is new -> old)
   .PARAMETER WarningStrings
   Put the sensor into a warning state when a certain string is found within the message
   .PARAMETER ErrorStrings
   Put the sensor into a error state when a certain string is found within the message
   .PARAMETER StateBasedOnLastID
   If this parameter is set, not the sheer number of events will decide if the sensor will go into error or warning state,
   but only the event id of the last entry found. This is useful for RAID controllers, etc.
   .PARAMETER StateBasedOnLastMessage
   If this parameter is set, not the sheer number of events will decide if the sensor will go into error or warning state,
   but only the message of the last entry found. This is useful if messages have the same event ID for errors and information events.
    
   .PARAMETER Username and Password
   The username and password that the script should use to create the credential object.
   Format -Username "domain\username" -Password 'yourpass'
   .OUTPUTS
   <number of entries found>:<entries> found in the event log. Last message: <last entry message>
   .EXAMPLE
   C:\PS> .\Get-Events.ps1  -ComputerName %host -Username "%windowsdomain\%windowsuser" -Password "%windowspassword" -ProviderName "Microsoft-Windows-Immersive-Shell" -Channel "Microsoft-Windows-TWinUI/Operational" -LimitEntries 1 -MaxAge 1 -EventID 1719 -Level 4
   .EXAMPLE
   C:\PS> .\Get-Events.ps1  -ComputerName %host -Username "%windowsdomain\%windowsuser" -Password "%windowspassword" -ProviderName "Microsoft-Windows-Immersive-Shell" -Channel "Microsoft-Windows-TWinUI/Operational" -LimitEntries 1 -MaxAge 1 -EventID 1719 -Level 4 -StateBasedOnLastEntry
#>

param(
    [string]$ComputerName     = "Percy",
    [string[]]$Channel        = @("PRTG Network Monitor"),
    [string[]]$ProviderName   = @("PRTG Network Monitor"),
    [int[]]$EventID           = @(2),
    [int[]]$WarningEvents     = @(),
    [int[]]$ErrorEvents       = @(),
    [string[]]$ErrorStrings   = @(),
    [string[]]$WarningStrings = @(),
    [int[]]$Levels            = @(),
    [float]$MaxAge            = 24,
    [int]$LimitEntries        = 100,
    # empty credentials, in case we run at localhost.
    [string]$Username       = '',
    [string]$Password       = '',
    [switch]$AlwaysShowMessage = $true,
    [switch]$StateBasedOnLastMessage = $true,
    [switch]$StateBasedOnLastEventID = $true

)
[System.Threading.Thread]::CurrentThread.CurrentCulture = New-Object "System.Globalization.CultureInfo" "en-US"
[switch]$Verbose = $false

# This will return an error and exit accordingly
# If there's an error, only this will be outputted
#######################################
function This-PrtgResult([int]$Value = 0, [string]$Message,[int]$ExitCode){

    if(!($verbose)){ 
        Write-Host ([string]::Format("{0}:{1}",$Value,$Message));
        exit $ExitCode;
    }
    else 
    { Write-Host ([string]::Format("{0}:{1}",$Value,$Message)); }

}

# This will create the credential
# object that is used to get the events
#######################################
function This-GenerateCredentials(){

    # Generate Credentials if we're not checking localhost
    if((($env:COMPUTERNAME) -ne $ComputerName)){
        # Generate Credentials Object first
        $SecPasswd  = ConvertTo-SecureString $Password -AsPlainText -Force
        $Credentials= New-Object System.Management.Automation.PSCredential ($Username, $secpasswd)
        return $Credentials
    }

    # otherwise return false
    else{ return "false" }
}  

# This will retrieve the event log entries
# based on channel, provider and events ID.
#######################################
function This-ReadEventLog(){

    $Credentials = (This-GenerateCredentials);
    $EventFilter = @{};
    
    # Filter the objects according to their timestamp
    $EventFilter.Add("StartTime",(get-date).AddHours(-$MaxAge));

    # We need a provider, otherwise the script will error if none is given. 
    # If it's set, it'll be added to the filter  
    if($ProviderName.Count -eq 0)
    { This-PrtgResult -Message "No ProviderName given. Please enter a valid Provider." -ExitCode 1; }
    
    $EventFilter.Add('ProviderName',$ProviderName)
    
    # We need a Channel, otherwise the script will error if none is given. 
    # If it's set, it'll be added to the filter    
    if($Channel.Count -eq 0)
    { This-PrtgResult -Message "No Channel given. Please enter a valid Provider." -ExitCode 1;  }
    
    $EventFilter.Add("LogName",$Channel)  

    # If there are event IDs, add them to the filter
    if($EventID.Count -gt 0)
    { $EventFilter.Add("ID",$EventID); }

    # if there are levels, add them to the filter
    if($Levels.Count -gt 0)
    { $EventFilter.Add("Level",$Levels) }

    try{
        if($Credentials -ne "false"){ $Events = (Get-WinEvent -ComputerName $ComputerName -FilterHashTable $EventFilter -MaxEvents $LimitEntries -Credential $Credentials) }
        else                        { $Events = (Get-WinEvent -ComputerName $ComputerName -FilterHashTable $EventFilter -MaxEvents $LimitEntries ) }
     
        return $Events;
    }
    catch [Exception]
    { This-PrtgResult -Message ([string]::Format("Can't find anything for {0} in your {1} eventlog. Please check Log name, Provider, Log ID, EventID, ComputerName and Credentials",$ProviderName -join " or ",$Channel -join " or ")) -ExitCode 1 }

}
# This will evaluate the results from the above
# function and return the sensor value
#######################################
function This-EvaluateLogResults(){
         
        $Events = (This-ReadEventLog);
        $Counter = $Events.Count

        # We need the events to be in an array, even if we only have one value
        # This makes iterating easier.
        $Events = @($Events); 
  
        if($Counter -gt 0){ 

            $EventList = [System.Collections.ArrayList]$Events
           
            # Always show the last message when enabled
            if(($AlwaysShowMessage) -and ($Counter -ne 0)){
                if(!([string]::IsNullOrEmpty($EventList[0].Message))){
                 $LastMessage = ($EventList[0].Message.Remove(50)+"..." -replace "`n|`r")
                 $Message = "(Last entry: "+$LastMessage+")"
                }
            else
            { $Message = "(Latest event has no message)"; }
            }
                 
            # Search for error and warning IDs
            if((($StateBasedOnLastEventID)) -and (-not($StateBasedOnLastMessage))){
                switch ($EventList[0].Id){
                    {$ErrorEvents -contains $EventList[0].Id}  { This-PrtgResult -Message "Critical Event found: $($Message)" -Value $Counter -ExitCode 1 }
                    {$WarningEvents -contains $EventList[0].Id}{ This-PrtgResult -Message "Warning Event found: $($Message)" -Value $Counter -ExitCode 1 }
                }
            }
         
            # Search for messages that contain the error and warning strings
            elseif(($Counter -ne 0) -and ($StateBasedOnLastMessage)){
            foreach($String in $ErrorStrings){
                        if($EventList[0].Message -match "($String)"){ This-PrtgResult -Message "Critical Event found: $($Message)" -Value $Counter -ExitCode 1 } }
                    foreach($String in $WarningStrings){
                        if($EventList[0].Message -match "($String)"){ This-PrtgResult -Message "Warning Event found: $($Message)" -Value $Counter -ExitCode 1 } }
            }
     
            # Search for messages that contain the error and warning strings and the messages
            elseif(($Counter -ne 0) -and (($StateBasedOnLastMessage) -and ($StateBasedOnLastID))){
            switch ($EventList[0].Id){
                        {($ErrorEvents -contains $EventList[0].Id) -and ($EventList[0].Message -match $ErrorStrings)}     { This-PrtgResult -Message "Critical Event found: $($Message)" -Value $Counter -ExitCode 1}
                        {($WarningEvents -contains $EventList[0].Id) -and ($EventList[0].Message -match $WarningStrings)} { This-PrtgResult -Message "Warning Event found: $($Message)" -Value $Counter -ExitCode 1}
                    }
            }

        }
        switch ($Counter){
                {$Counter -eq 0}{ This-PrtgResult -Message "No events found." -ExitCode 0 }
                {$Counter -ge 1}{ This-PrtgResult -Message "$($Counter) event(s) found $($Message)." -Value $Counter -ExitCode 0 }
        }
             
}

This-EvaluateLogResults;

In order to get detailed information about the event you want to monitor, please open the Windows Event Viewer application, search for the event and switch to the detail tab. Select the XML view to see all properties of the event.

Parameter example:

-ComputerName %host -Username "%windowsdomain\%windowsuser" -Password "%windowspassword" -MaxAge 8 -Channel 'Application' -ProviderName 'ESENT' -EventID @(105,200,301) -WarningEvents @(200) -ErrorEvents @(301) -AlwaysShowLastMessage

The % variables will be replaced automatically by PRTG. If you want to look for multiple event IDs, strings, logs and providers, simply add them to the array:
IDs @(101,102,103,104)
Events, Strings @("String 1","String 2")

If you want to work with channel limits instead of the hardcoded limits (0 = green, 1 = warning, 2 and above = error), edit the lines 155 and 156, specifically the exit code.

Important The user you use needs to have administrative privileges on the target device; he can't read the events as a normal user.

Created on Nov 28, 2014 9:55:25 AM by  Stephan Linke [Paessler Support]

Last change on Dec 8, 2016 9:48:40 AM by  Stephan Linke [Paessler Support]



Votes:

0

Your Vote:

Up

Down

You guys really need to create a far better by default sensor for event logs. WE could really do with something that can check for ISO 27001:2013 compliance etc. So some reporting would also be very useful. I think it would make PRTG a stronger selling point if there was better support for sys-logs, eventlogs and IIS logs.

Created on Feb 27, 2015 3:02:09 PM by  Lasse (0)



Votes:

0

Your Vote:

Up

Down

Hi Lasse,

How exactly would one check for ISO 27001:2013 compliance? What sensor functionality would you like to see within the syslog and eventlog sensors? Do you rather want to analyze the IIS logs itself (which would work with a PowerShell script) or would it be possible for you to push the logs into a database? If so, you could use our various database sensors to get the information you want out of the logs :)

Best, Stephan

Created on Mar 2, 2015 1:21:12 PM by  Stephan Linke [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Just so you know, I updated the script to be more sophisticated, offering a better search function. It can also deal with multiple search filters at once :)

Created on May 6, 2015 9:23:34 AM by  Stephan Linke [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Hi all,

could you please tell me, how to copy the script in a textfile, without loosing all the newlines?

Help would be appreciated....I tried to copy it via the html-source but there, the special characters are not right!

thx,

matthias

Created on Jul 7, 2015 11:43:08 AM by  Helpdesk_Hoedlmayr (0) 1



Votes:

0

Your Vote:

Up

Down

Whoops, that's weird. I'll forward it to our developers. Meanwhile, you can get it here: http://pastebin.com/9Quaehke

Created on Jul 7, 2015 12:36:49 PM by  Stephan Linke [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Hi,

Many thanks for providing this.

I have no scripting background but as I have a dire need to make this work, I have been trying to implement this without any luck.

I need to monitor Applications and Services Logs > Microsoft > Windows > AppLocker > EXE and DLL (%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-AppLocker%4EXE and DLL.evtx) for Event 8004 on any monitored PC.

I appreciate that the script is heavily remarked but I am getting nowhere with what I need to change to achieve the above.

Any assistance would be greatly appreciated.

Created on Nov 25, 2016 4:44:08 AM by  Macduffy (0) 1



Votes:

0

Your Vote:

Up

Down

Could you provide me with the XML of one event within that log (can be obtained from the detail tab of it). Thanks!

Created on Nov 28, 2016 7:12:48 AM by  Stephan Linke [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Apologies for late response, I missed your post :(

Here is the XML you requested:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-AppLocker" Guid="{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}" /> 
  <EventID>8006</EventID> 
  <Version>0</Version> 
  <Level>3</Level> 
  <Task>0</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x4000000000000000</Keywords> 
  <TimeCreated SystemTime="2016-11-06T03:27:05.276939600Z" /> 
  <EventRecordID>6</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="17568" ThreadID="17572" /> 
  <Channel>Microsoft-Windows-AppLocker/MSI and Script</Channel> 
  <Computer>##### REMOVED #####</Computer> 
  <Security UserID="##### REMOVED #####" /> 
  </System>
- <UserData>
- <RuleAndFileData xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0">
  <PolicyName>SCRIPT</PolicyName> 
  <RuleId>{00000000-0000-0000-0000-000000000000}</RuleId> 
  <RuleName>-</RuleName> 
  <RuleSddl>-</RuleSddl> 
  <TargetUser>##### REMOVED #####</TargetUser> 
  <TargetProcessId>17568</TargetProcessId> 
  <FilePath>##### REMOVED #####</FilePath> 
  <FileHash>##### REMOVED #####</FileHash> 
  <Fqbn>##### REMOVED #####</Fqbn> 
  </RuleAndFileData>
  </UserData>
  </Event>

Thanks!

Created on Dec 18, 2016 5:42:48 AM by  Macduffy (0) 1

Last change on Dec 20, 2016 12:19:37 PM by  Stephan Linke [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Since I updated the script above, the following parameters should do the trick: -Channel @(Microsoft-Windows-AppLocker) -Provider @("Microsoft-Windows-AppLocker") -EventID 8006 -username '%windowsdomain\%windowsuser' -password '%windowspassword'

...could you check that out? :)

Created on Dec 20, 2016 12:18:25 PM by  Stephan Linke [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Hi i'm following the above but i'm having issues. I have made the query simpler by just using the application event log. Heres the XML output

Log Name:      Application
Source:        Microsoft-Windows-WMI
Date:          31/01/2017 16:19:10
Event ID:      5605
Task Category: None
Level:         Information
Keywords:      
User:          SYSTEM
Computer:      RDSCB01.sachetpack.local
Description:
The root\cimv2\rdms namespace is marked with the RequiresEncryption flag. Access to this namespace might be denied if the script or application does not have the appropriate authentication level. Change the authentication level to Pkt_Privacy and run the script or application again.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-WMI" Guid="{1EDEEE53-0AFE-4609-B846-D8C0B2075B1F}" />
    <EventID>5605</EventID>
    <Version>2</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2017-01-31T16:19:10.850939300Z" />
    <EventRecordID>168525</EventRecordID>
    <Correlation ActivityID="{27F2CD1B-4EFE-0000-5EF3-0F30FE4ED201}" />
    <Execution ProcessID="988" ThreadID="7084" />
    <Channel>Application</Channel>
    <Computer>RDSCB01.sachetpack.local</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <UserData>
    <data_0x8000003F xmlns="http://manifests.microsoft.com/win/2006/windows/WMI">
      <Namespace>root\cimv2\rdms</Namespace>
    </data_0x8000003F>
  </UserData>
</Event>

For the parameters i'm using

-Channel @(Application) -Provider @("Microsoft-Windows-WMI") -EventID 5605 -username '%windowsdomain\%windowsuser' -password '%windowspassword'

The warning states No Channel given. Please enter a valid Provider.

If i put quotes around the channel e.g.

-Channel @("Application") -Provider @("Microsoft-Windows-WMI") -EventID 5605 -username '%windowsdomain\%windowsuser' -password '%windowspassword'

the warning output states Can't find anything for Microsoft-Windows-WMI in your Application eventlog. Please check Log name, Provider, Log ID, EventID, ComputerName and Credentials

I can't see where i'm going wrong, any advice is appreciated.

Created on Jan 31, 2017 4:35:29 PM by  alexderbyshire (0)

Last change on Feb 1, 2017 6:36:33 AM by  Stephan Linke [Paessler Support]



Votes:

0

Your Vote:

Up

Down

It's -ProviderName, not -Provider :)

Created on Feb 1, 2017 6:40:07 AM by  Stephan Linke [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Hi, I still haven't been able to get this to work:

Response not wellformed:

"(File C:\Program Files (x86)\PRTG Network Monitor\custom sensors\EXE\Event Log.p s1 cannot be loaded because the execution of scripts is disabled on this system . Please see "get-help about_signing" for more details. At line:1 char:157 + if ($PSVersionTable.PSVersion -ge (new-object 'Version' 5,0)) { Import-Module Microsoft.PowerShell.Management; Import-Module Microsoft.PowerShell.Utility};& <<<< 'C:\Program Files (x86)\PRTG Network Monitor\custom sensors\EXE\Event Log .ps1' -Channel @(Microsoft-Windows-AppLocker) -ProviderName @('Microsoft-Window s-AppLocker') -EventID 8006 -username '*****\*****' -password '*****'; exit $LASTEXITCODE + CategoryInfo : NotSpecified: (:) [], PSSecurityException + FullyQualifiedErrorId : RuntimeException )" (code: PE132)

The target machine has an execution policy of Unrestricted on both x86/x64 versions of PS.

Created on Mar 14, 2017 6:41:00 AM by  Macduffy (0) 1

Last change on Mar 14, 2017 6:49:22 AM by  Sven Roggenhofer [Paessler Technical Support]



Votes:

0

Your Vote:

Up

Down

Are you running the script on a remote probe by any chance? Then you'll have to set the execution policies there and not (exclusively) on the probe :)

Created on Mar 14, 2017 9:13:45 AM by  Stephan Linke [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Maybe too late but the command loine should look like this:

-Channel "Microsoft-Windows-AppLocker/EXE and DLL" -Provider "Microsoft-Windows-AppLocker" -EventID 8006 -username '%windowsdomain\%windowsuser' -password '%windowspassword'

Regards Oliver

Created on Dec 4, 2017 9:34:17 AM by  synalis (0)

Last change on Dec 4, 2017 10:15:01 AM by  Stephan Linke [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Hi Oliver,

Thanks for sharing! :)


Kind regards,
Stephan Linke, Tech Support Team

Created on Dec 4, 2017 10:15:28 AM by  Stephan Linke [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Hi

I have tried to get this to work without luck. I am able to run it locally on the server I want to monitor, but I can not get it to work from a probe device. I get this error: "0:Can't find anything for Microsoft-Windows-SyncShare in your Microsoft-Windows-SyncShare/Operational eventlog. Please check Log name, Provider, Log ID, EventID, ComputerName and Credentials"

This is the command I use: "PS C:\> .\windows_eventlog_monitor.ps1 -ComputerName %host -Username "%windowsdomain\%windowsuser" -Password "%windowspassword" -ProviderName "Microsoft-Windows-SyncShare" -Channel "Microsoft-Windows-SyncShare/Operational" -MaxAge 100 -EventID 4016 -Level 2"

I have tried with different variations of marking " ' and so on. Same thing happens, it does not find anything. When I test it on the local probe with the powershell command I replace the variables with the real hostname password and so on.

Hope you can help.

Best regards Jacob

Created on Mar 16, 2018 10:32:19 AM by  Jacobnm (10)



Votes:

0

Your Vote:

Up

Down

Hi Jacob,

That's weird - Did you get channel and Provider name from the actual event XML in the event viewer? When you use the following instead:

-ProviderName @("Microsoft-Windows-SyncShare") -Channel @("Microsoft-Windows-SyncShare/Operational")

...does that do the trick? The channel name (i.e. /Operational) seems a bit suspicious. If you like, I can take a peek at the actual event XML and let you know the correct parameters for the script.


Kind regards,
Stephan Linke, Tech Support Team

Created on Mar 19, 2018 9:55:14 AM by  Stephan Linke [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Hi Stephan

It did not do the trick with the remote probe. I can run it locally but not from the probe device.

This is the XML maybe that can help?

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-SyncShare" Guid="{9E6153AD-A829-4B70-B997-8E463A7A111C}" /> 
  <EventID>4016</EventID> 
  <Version>0</Version> 
  <Level>2</Level> 
  <Task>0</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8000000000000000</Keywords> 
  <TimeCreated SystemTime="2018-03-19T08:24:20.711096500Z" /> 
  <EventRecordID>17199</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="1372" ThreadID="1444" /> 
  <Channel>Microsoft-Windows-SyncShare/Operational</Channel> 
  <Computer><removed></Computer> 
  <Security UserID="S-1-5-21-2117862466-2125879483-944732636-28415" /> 
  </System>
- <EventData>
  <Data Name="ConfigName"><removed></Data> 
  <Data Name="HResultStr">(0x80c80037) You're not set up on the server. Email your organization's tech support and ask them if they can give you access to Work Folders.</Data> 
  <Data Name="HResult">-2134376393</Data> 
  </EventData>
  </Event>

Created on Mar 20, 2018 8:46:22 AM by  Jacobnm (10)

Last change on Mar 20, 2018 9:58:29 AM by  Stephan Linke [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Thanks for testing that. Could you try to configure the parameters within the script (instead of configuring the parameter field in PRTG) and see if the result is correct when running on the probe itself?


Kind regards,
Stephan Linke

Created on Mar 20, 2018 9:59:59 AM by  Stephan Linke [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Hi Stephan

I have tried to modify the script itself on the probe, and ran the same modified script on the host that should be monitored.

The result was that running the script locally on the server that should be monitored works, as it has before (10:10 log entries found). When I run the same script on the probe I still get the error "0:Can't find anything for Microsoft-Windows-SyncShare in your Microsoft-Windows-SyncShare/Operational eventlog. Please check Log name, Provider, Log ID, EventID, ComputerName and Credentials".

Can it be a Windows setting blocking outsider from reading the event log?

Created on Mar 21, 2018 10:24:50 AM by  Jacobnm (10)



Votes:

0

Your Vote:

Up

Down

Hi Jacob,

Nice to hear we're making progress - is the user you're using in PRTG configured as an administrator on the target host? Otherwise he can't read the events, i.e. has no access to them.


Kind regards,
Stephan Linke, Tech Support Team

Created on Mar 21, 2018 11:48:21 AM by  Stephan Linke [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Hi Stephan

I found the solution. It was another thing blocking the script from running as suspected. It was the Windows Firewall with the rule "Remote Event Log Management (RPC)". If you enable this the script works.

Thanks for your help.

Br Jacob

Created on Mar 22, 2018 12:07:37 PM by  Jacobnm (10)



Votes:

0

Your Vote:

Up

Down

I've had a recent issue with this script. I was getting a translation error with the event variables which I corrected by changing the [int[]] to [array]. This is odd however because the script does run as is in powershell. It seems it was trying to convert the entire @(…,...,...) string into a single [int] when called from PRTG.

Created on Jun 10, 2018 2:08:14 PM by  Syo (0)



Votes:

0

Your Vote:

Up

Down

Could you post the entire content of the parameter field?


Kind regards,
Stephan Linke, Tech Support Team

Created on Jun 11, 2018 6:55:34 AM by  Stephan Linke [Paessler Support]



Votes:

0

Your Vote:

Up

Down

i am not able to do multiple eventid:

Antwort nicht wohlgeformt: "(C:\Program Files (x86)\PRTG Network Monitor\custom sensors\EXE\eventlog.ps1 : Die Argumenttransformation für den Parameter "EventID" kann nicht verarbeitet werden. Der Wert "@(70,71)" kann nicht in den Typ "System.Int32[]" konvertiert werden. Fehler: "Der Wert "@(70,71)" kann nicht in den Typ "System.Int32" konvertiert werden. Fehler: "Die Eingabezeichenfolge hat das falsche Format."" In Zeile:1 Zeichen:461 + ... indows-Server Infrastructure Licensing' -EventID `@`(70`,71`) -MaxAge ... + ~~~~~~~~~~~~ + CategoryInfo : InvalidData: (:) [eventlog.ps1], ParameterBindingArgumentTransformationException + FullyQualifiedErrorId : ParameterArgumentTransformationError,eventlog.ps1 )" (Code: PE132)

Parameter is:

-ComputerName server -Username "%windowsdomain\%windowsuser" -Password "%windowspassword" -Channel 'Microsoft-Windows-Server Infrastructure Licensing/Operational' -ProviderName 'Microsoft-Windows-Server Infrastructure Licensing' -EventID @(70,71) -MaxAge 8

It is working on powershell console but not in PRTG!

I found also that this in results in an error if message shorter than 50: $LastMessage = ($EventList[0].Message.Remove(50)+"..." -replace "`n|`r")

Microsoft-Windows-Server Infrastructure Licensing has to be in '' its not working with "" because of the blank char

Created on Jun 14, 2019 5:44:49 PM by  ghostadmin (0) 1

Last change on Jun 17, 2019 5:32:07 AM by  Stephan Linke [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Unfortunately, we have had a bug in PRTG for quite some time now that causes PRTG to trip when @ characters are passed via command line. It would require refactoring of the script to adapt it. The easiest way is to save the script once per host and enter the IDs manually.

The refactoring would require to turn the int[] parameters into strings and have them passed as "1,2,3" instead of @(1,2,3). They need to be converted into arrays within the script afterwards.

Sorry for the inconvenience regarding this :( Arne pushed the bugfix within our issue tracker, but it has a rather low priority.

Created on Jun 17, 2019 6:39:15 PM by  Stephan Linke [Paessler Support]



Please log in or register to enter your reply.


Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.