Documentation is now available for the Fall 2020 Update release!

Ingesting Windows Event Logs

How to ingest and alerts on Windows Event Logs.

Leave Feedback

Introduction

The Event Log Monitoring helps you (IT administrators) to monitor the event logs generated in the system viewer of all Windows devices in your network. OpsRamp generates alerts depending on the conditions applied in the monitor.

The Windows event log monitoring performs the following steps:

  1. Receive the Windows Event logs, pre-process and normalize the logs.
  2. The Cloud will define the pre-processing policy.
  3. The Agent will do the pre-processing and normalization.

Using the Windows Event Log monitoring, you can monitor the log data of your Windows devices in your network. You can configure event log monitors in OpsRamp and then manage your Windows devices.

Using OpsRamp Event Log Monitoring, you can get a holistic view of your environment. If you have multiple event log monitors on the device, then consider the monitor frequency from the last applied monitor in OpsRamp

Configure event log monitoring with one of the following methods:

  • Creating a template
  • Assigning the template from devices

Configuring event log monitoring

Event log monitoring can be configured with one of the following methods:

  • While creating a template.
  • While assigning a template from a resource.

Configuring event log monitoring while creating a template

To configure event log monitoring while creating a template.

  1. From All Clients, select a client.
  2. Go tok Setup > Monitoring > Templates.
  3. From TEMPLATES, click +, provide the following:
    • Select Template Scope: Refers to the Template type.
    • Collector Type: Select Agent.
    • Applicable for: Select Device.
    • Template Name: Refers to the name of the template.
    • Description: Refers to the summary of the template.
    • Generation: Refers to the generation that the template belongs to.
    • Tags: Refers to the information that you can tag for your easy reference. 
    • Prerequisites: Refers to the essential things that the user must consider while monitoring using the template. For example, the user must check the SQL services while monitoring the SQL Parameters using the Windows templates.
    • Status: Refers to the Active or End-of-life templates.
    • Notes: Refers to the additional information that you want to add to the template.
    • Template Family Name:
    • Deployment Type: Refers to one of the methods to apply the template to the resources.
      • Custom
      • Optional
      • Standard
  4. After providing the template details, navigate to Event Log Monitors.
  5. From Event Log Monitors, provide the Monitor details for the parameters:
    • Frequency: Refers to the frequency to monitor the logs. OpsRamp recommends selecting 15 min.
    • Alert: Refers to initiate the monitoring
    • Log Type and Log Level: Refers to the different categories available to monitor the event logs. You can select the desired log levels for each log type category.
    • Source: Refers to the source names to monitor the events. You can provide multiple sources separated by commas.
    • Event Ids: Refers to the required event ids. You can provide multiple sources separated by commas.
    • Message String: Refers to the event description or regular expression to monitor events to match with given message string.
    • Included: Refers to the monitoring of the only given source name and event ids or both from the given input selected categories.
    • Excluded: Refers to skipping the monitoring of the given source name and event ids or both from the input selected categories.
  6. Click Save. Templates List screen displays the new Template.

After configuring the event log monitors, the Agent will collect data according to the configured event log parameters and sent them to the Cloud.

Configuring event log monitoring while assigning a template from a resource

To configure the event log monitoring from a resource:

  1. From All Clients, select a client.
  2. Go to Infrastructure > Resources, select a required resource from the list of resources. Alternatively, use the search option to locate the resource.
  3. Click the resource name to view details.
  4. From the left pane, click Monitors > Monitors > +Assign Templates.
  5. From Add Monitor, provide the following:
    • Collector Type: Select Agent.
    • Category: Select Event Log Monitor.
    • Frequency: Refers to the frequency to monitor the logs. OpsRamp recommends selecting 15 min.
    • Alert: Refers to initiate the monitoring
    • Log Type and Log Level: Refers to the different categories available to monitor the event logs. You can select the desired log levels for each log type category.
    • Source: Refers to the source names to monitor the events. You can provide multiple sources separated by commas.
    • Event Ids: Refers to the required event ids. You can provide multiple sources separated by commas.
    • Message String: Refers to the event description or regular expression to monitor events to match with given message string.
    • Included: Refers to the monitoring of the only given source name and event ids or both from the given input selected categories.
    • Excluded: Refers to skipping the monitoring of the given source name and event ids or both from the input selected categories.
  6. Click Save.

If any specific criteria matches, OpsRamp sends those events as a critical alert.