|
|
|
|
Event Log Monitoring
Event log is a Windows service, which logs all the activities that take
place in a computer. By default Windows provides logs for Applications,
System and Security. Application logs contain the events logged by
applications running on the computer. System logs contain the event
logged by other services & kernel mode programs such as Device
drives. Security logs contain the events like login attempts,
suspicious port scan etc. Apart from these if the machine is a Domain
controller, then Windows provides logs related to DNS, File Replication
and Directory Services.
The Probe periodically (5 minutes once by default)
collects the event logs from the devices and
sends it to the Central. Probe uses WMI to fetch the devices for event
logs,
hence configure correct credentials to the devices. Central has some
pre-defined rules called the Event log rules. These rules
contain the Event ID, Type, Source, Category etc. to filter the event
logs and compare with the Event log rules. If any event matches with any
of the rules, then either an alarm is raised or the event is ignored.
The severity of the alarm is configured in the event log rules. Apart
from the default Event log rules you can also create your own event log rule.
An event is picked up by the central and verified with the rules one by one sequentially. There are possibilities where a single event can match multiple rules. For example, if a event matches with a rule which is configured to raise alert with severity critical, then the Central holds in its cache to raise an alarm with severity critical. While verifying the same event with the subsequent rules, if it matches with another rule and the rule is configured to ignore the event, then the event is ignored by the Central (Ignore option gets precedence). Or if second matched rule is configured to raise an alert with some other severity, then the alert is raised with severity which is higher.
The alarms raised for the event logs contain the Event ID and the
description of the event. You can configure notification profiles
for Event log monitor, which alerts you in no time if any alarm is
raised. You can use Quick Configuration Wizard to associate event log rules to multiple devices.
All the events are processed and stored in the Central's database. The following tables have the data about the event logs.
- eventlogdeviceinfo - Provides the details of the devices to which the event log rules are
associated. It also provides the status, monitoring interval and last
polled time details.
- eventlogfile - Provides the list of log file names (Application, System, Security, DNS etc.) and its ID.
- eventlogrule - Provides the details of the event log rules.
- eventlogrunnable - Provides device name and the next polling time. This information will be available in the probe's database only.
The message mentioned in the alarms of the event logs gets truncated in our older builds (prior to 7101). This is fixed in our latest release. If you still get such issues then check the following tables and fields
- alert - check whether the field MMESSAGE is of type text
- event - check whether the field TEXT is of type text
If they are of integer type then change it to text type.
|
Document Saved Successfully
|
|
|
|
|
|
|
