Eventlog Problems
zanni
I'm trying to come up with a way of monitoring Windows event logs on a remote machine for a particular string. I'm using MX1, 6.7.1.
This is a system event log with 14K events. The event properties for the event I'm searching for are as follows:
---------------------------------------------------------
Date: 10/24/2006 Source: Service Control Manager
Time: 18:04 Category: None
Type: Information Event ID: 7036
User: N/A
Computer: XXXXX
Description:
The Volume Shadow Copy service entered the stopped state.
---------------------------------------------------------
In creating the rule, I'm using the "Test Settings" button to test out the monitor.
I search for the following string (without the quotes): "Volume Shadow Copy"
Results
-------
Status: Down?
Error returned: Information event on 111.111.111.111 at 10/24/2006 6:04:54 PM (GMT-5) - Source: "Service Control Manager". Event: Volume Shadow Copystopped
-------
Ok, so it found the string. Good enough. But notice there's no space between "Copy" and "stopped". It seems to be missing part of the event description.
So now, if I do the same exact test, but this time for the string: "Volume Shadow Copy service", it won't find it.
Results
-------
Status: OK
-------
Are there some particulars/rules with regard to searching for text in an event log that I'm missing? Is there a maximum string size that can be used for searching? Are there special characters that cannot be used?
Also, once an event is found with the search string, ServersCheck will continue to report a positive match until the event log is cleared. Is this correct?
Lastly, does ServersCheck search the eventlog starting from the newest events to the oldest?
Thanks for your help...
This is a system event log with 14K events. The event properties for the event I'm searching for are as follows:
---------------------------------------------------------
Date: 10/24/2006 Source: Service Control Manager
Time: 18:04 Category: None
Type: Information Event ID: 7036
User: N/A
Computer: XXXXX
Description:
The Volume Shadow Copy service entered the stopped state.
---------------------------------------------------------
In creating the rule, I'm using the "Test Settings" button to test out the monitor.
I search for the following string (without the quotes): "Volume Shadow Copy"
Results
-------
Status: Down?
Error returned: Information event on 111.111.111.111 at 10/24/2006 6:04:54 PM (GMT-5) - Source: "Service Control Manager". Event: Volume Shadow Copystopped
-------
Ok, so it found the string. Good enough. But notice there's no space between "Copy" and "stopped". It seems to be missing part of the event description.
So now, if I do the same exact test, but this time for the string: "Volume Shadow Copy service", it won't find it.
Results
-------
Status: OK
-------
Are there some particulars/rules with regard to searching for text in an event log that I'm missing? Is there a maximum string size that can be used for searching? Are there special characters that cannot be used?
Also, once an event is found with the search string, ServersCheck will continue to report a positive match until the event log is cleared. Is this correct?
Lastly, does ServersCheck search the eventlog starting from the newest events to the oldest?
Thanks for your help...
This discussion has been closed.
Comments
-> no special rules although I suspect Windows reporting it differently depending on the way it is accessed
Also, once an event is found with the search string, ServersCheck will continue to report a positive match until the event log is cleared. Is this correct?
-> correct
Lastly, does ServersCheck search the eventlog starting from the newest events to the oldest?
-> first one found (old -> new)