Windows event log monitors the event logs generated in the system viewer of all Windows operating systems in your network. Alerts are generated depending on the conditions specified in the monitor.

The Windows event log monitoring involves the following functions:

  • Defining the pre-processing policy in the event log monitor.
  • Receiving, pre-processing, and normalizing the logs in the agent.

Create a Windows event log monitoring template

Follows these steps to create an event log monitor:

  1. Select a client from the All Clients list.

  2. Navigate to Setup > Monitoring > Templates.

  3. Click + Add.

  4. Enter the following information:

    PropertyDescription
    Select Template ScopeTemplate scope:
    • Partner Template
    • Client-specific Template
    ClientThis field is populated if you select Template Scope as Client Specific Template.
    Select a client from the drop-down list.
    Collector TypeFor Windows event logs, select Agent.
    Monitor TypeSelect G1 Monitors as monitor type.
    Applicable ForSelect resource.
    Template NameProvide the template name.
    DescriptionProvide the template description.
    GenerationThe Generation template belongs to. Pre-populated depending on the Monitor Type selection.
    VersionTemplate version. Fixed value = 1.
    TagsUser-defined tags for easy reference.
    PrerequisitesUser-defined prerequisites of what to consider when using this template.
    StatusTemplate status: Active
    NotesTemplate notes.
    Template Family NameUser-defined template family name.
    Deployment TypeDeployment type: Standard
  5. Expand the Event Log Monitor section by clicking + Add.

  6. Enter the following properties:

    Event Log Monitor
    PropertyDescription
    FrequencyLog monitoring frequency. Recommended: 15 minutes.
    AlertSelect the checkbox to initiate monitoring.
    Log TypeFor each category you want to associate with the event logs, select the severity level(s):
    • All: Select all severity levels.
    • Error
    • Critical
    • Information
    • Success
    • Warning
    ArticlesKnowledge base articles to attach to the template. Choose Select or Modify and select from the list of articles.
    SourceSource names to monitor the events. You can enter multiple comma-separated sources.
    Event IdsRequired event IDs. You can enter multiple comma-separated event IDs.
    Message StringEvent description or regex to to match against monitored events. You can enter multiple message strings separated by $$. The message string field supports both normal and regex strings. the following characters must be preceded by the \ escape character: [,],{,},(,),$,+,*,/,\
    Alert ComponentThe Alerts Component field requires users to enter the component name. The purpose of adding the Alert Component is that if the eventlog source names and eventid are the same but the message search string is different, the agent will create a separate eventlog alert based on the given component name.
    The Alerts Component field is optional, and the alert component support is only available for the included drop-down filter.
    Included/ExcludedFrom the drop-down, select:
    • Included: Monitor only the specified source name and event IDs or both from the specified input selected categories.
    • Excluded: Skip specified source name and event IDs, or both, monitoring from the input selected categories.
    RunBook AutomationConfigure the RunBook Automation.
  7. Click Save to apply the configuration parameters.
    After configuring an event log monitor and assigning the template on the Windows resources, the agent starts collecting data according to the specified event log parameters and sends the alerts to the OpsRamp cloud.

Add custom event log monitors to the template

You can add, update, and delete the custom event logs to the template. This custom event log monitor will be available only to the specific template.

The purpose of this is to allow users to customize the event log monitors at the template scope by giving flexibility to add, update, and delete them as per their need without touching the global event log monitors.

Follow these steps to customize the event log monitors:

  1. Select a client from the All Clients list.

  2. Navigate to Setup > Monitoring > Templates.

  3. Use the Advanced Search to search for the G1 based template with agent as collector type.

  4. Click the template name to view the template details.

  5. Go to the Event log monitor section.

  6. Select the frequency of monitor and select the Alert check box.

    Event Log Monitor - Log Type

  7. Go to the Log Type – Template scope section to add a custom event log for this template.

  8. Enter the information and click the Create LogType button to create an event log monitor.

  9. Click Save to save the template.

Notes:

  • When you create an event log monitor at the Service Provider scope, it will be available globally.
  • If a partner user creates template-scope event log monitors, then any client under the partner can view the customized event log monitors, but they cannot modify the log type.
  • If a client user wants to create custom Event log monitors, then he can create in the Log Type – Template Scope section and update or delete as per his requirement.