Event log monitoring question

The following might be helpful:
https://kb.paessler.com/en/topic/62379-how-can-i-monitor-my-historic-windows-events

You can configure the strings/event IDs to search for, when to go into Warning and Down state. Also, the timespan can be configured (i.e. how many hours of events shall be checked). Note that you need to configure the parameters within the script, as PRTG currently can't run parameters with special characters, such as @ or ( or ). Make sure to check our Guide for PowerShell based Custom Sensors for the installation :)

PRTGapi | Feature Requests | WMI Issues | SNMP Issues

Kind regards,
Stephan Linke, Tech Support Team

Thanks, that looks like a good solution. I'll take a look as soon as I get a minute.

I did try that powershell script but had a lot of trouble getting it to work. I tried to keep things simple by trying to get some results from it on just the PRTG server in powershell, but can't get it to work.

E.g.

.\Get-Events.ps1 -ComputerName StudySvr8 -Username administrator -Password xxxxxxxx -Channel Application -ProviderName 'Microsoft-Windows-CertificateServicesClient-AutoEnrollment' -EventID 64

Obviously I have replaced the password with X's in the above example. This produces the output :-

00:No log entries found

There are definitely entries for event 64 in the application log. I have tried it with other event ID's. Some give red error text, others just the same as the above. Some red error text, plus the No log entries found.

The only one I have managed to get to work in terms of an actual result is this :-

\Get-Events.ps1 -ComputerName StudySvr8 -Username administrator -Password xxxxxxx -Channel System -ProviderName 'Service Control Manager' -EventID 7036

This tells me :- 10:10 log entries found in the last 20 hours

Does this mean 10 with that event ID in the last 20 hours? If so, there are way more than 10 in that time period.

Running on a fully updated copy of Server 2012 R2.

Hopefully I'm making some kind of simple mistake and someone can point me in the right direction.

@dwinter Can you please replace line #158 with the following: { This-PrtgResult -Message ([string]::Format("Exception: $($_.Exception.Message) - Can't find anything for {0} in your {1} eventlog. Please check Log name, Provider, Log ID, EventID, ComputerName and Credentials",$ProviderName -join " or ",$Channel -join " or ")) -ExitCode 1 }

...and let me know if the entries are still disclosed as none found or if there is a special exception thrown?

Line 158 was :-

if($EventList[0].Message -match "($String)"){ Write-Host $Counter":Critical event found: $($Message)"; $ExitCode = 2; return; } }

I replaced it with your suggested code above and it seems to have just broken the script.

At C:\Program Files (x86)\PRTG Network Monitor\Custom Sensors\EXEXML\Get-Events.ps1:135 char:30 + function evaluateLogResults(){ + ~ Missing closing '}' in statement block. + CategoryInfo : ParserError: (:) [], ParseException + FullyQualifiedErrorId : MissingEndCurlyBrace

That would have been line 198 or 200? When I open up the script in an editor, line 158 is that one:

Did you leave out the comment section at the beginning when copy/pasting by any chance?

I edited it in Notepad++ this time and the line was as expected, I'll give it another go. Thanks.

Looks like that did the trick. Thanks!

Did you find the actual issue? Or is it just showing the real exception now?

Since replacing that line, it seems to be just working.

Nice! :)