Alerts - Event Logs

Select Event Logs from the Select Alert Function drop-down list

The Alerts - Event Logs page triggers an alert when an event log entry for a selected machine matches a specified criteria. After selecting the event log type, you can filter the alerts triggered by event set and by event category.

Note: You can display event logs directly. On a Windows machine click Start, then click Control Panel, then click Administrative Tools, then click Event Viewer. Click Application, Security or System to display the events in each log.

Prerequisite

Event logging must be enabled for a particular machine using Agent > Event Log Settings.

Windows Event Logs

An event log service runs on Windows operating systems (Not available with Win9x). The event log service enables event log messages to be issued by Window based programs and components. These events are stored in event logs located on each machine. The event logs of managed machines can be stored in the KServer database, serve as the basis of alerts and reports, and be archived.

Depending on the operating system, the event logs types available include but are not limited to:

Application log
Security log
System log
Directory service log
File Replication service log
DNS server log

The list of event types available to select can be updated using Monitoring > Update Lists by Scan.

Windows events are further classified by the following event log categories:

Error
Warning
Information
Success Audit
Failure Audit
Critical - Applies only to Vista.
Verbose - Applies only to Vista.

Event logs are used or referenced by the following VSA pages:

Monitor > Agent Logs
Monitor > Alerts > Event Logs
Monitor > Alerts > Edit Event Sets
Monitor > Update Lists by Scan
Agent > Log History
Agent > Event Log Settings
Agent > Agent Logs
Reports > Logs

System > Database Views > vNtEventLog

Event Sets

Because the number of events in Windows based events logs is enormous the VSA uses a record type called an event set to filter the triggering of alerts.

Event sets contain one or more conditions. Each condition contains filters for different fields in an event log entry. The fields are source, category, event ID, user, and description. An event log entry has to match all the field filters of a condition to be considered a match. A field with an asterisk character (*) means any string, including a zero string, is considered a match. A match of any one of the conditions in an event set triggers an alert on any machine that event set is applied to.

For details on how to configure event sets, see Monitor > Alerts > Event Logs > Edit Event Sets.

Sample Event Sets

The VSA provides a growing list of sample event sets. The names of sample event sets begin with ZC. They can be updated using System > Configure. You can modify sample event sets, but its better practice to copy a sample event set and customize the copy. Sample event sets are subject to being overwritten every time the sample sets are updated. An Excel document called Standard Monitoring Library.xls provides a description of each sample event set. It can be downloaded from the Kaseya Support Forum.

Creating an Event Log Alert

On the Monitor > Alerts page select the event log type using the drop-down list.
Select the Event Set filter used to filter the events that trigger alerts. By default <All Events> is selected.
Check the box next to any of the following event category:
- Error
- Warning
- Information
- Success Audit
- Failure Audit
- Critical - Applies only to Vista.
- Verbose - Applies only to Vista.
  Note: Red letters indicate logging disabled. Event logs may be disabled by the VSA for a particular machine, based on settings defined using Agent > Event Log Settings. A particular event category may be not be available for certain machines, such as the Critical and Verbose event categories for non-Vista machines.
Specify the frequency of the alarm condition required to trigger an alert:
- Alert when this event occurs once.
- Alert when this event occurs <N> times within <N> <periods>.
- Alert when this event doesn't occur within <N> <periods>.
- Ignore additional alarms for <N> <periods>.
Click the Add or Replace radio options, then click Apply to assign selected event type alerts to selected machine IDs.
Click Remove to remove all event based alerts from selected machine IDs.

Global Event Log Black List

Each agent processes all events, however events listed on a "black list" are not uploaded to the VSA server. There are two black lists. One is updated periodically by Kaseya and is named EvLogBlkList.xml. The second one, named EvLogBlkListEx.xml, can be maintained by the service provider and is not updated by Kaseya. Both are located in the \Kaseya\WebPages\ManagedFiles\VSAHiddenFiles directory. Alarm detection and processing operates regardless of whether entries are on the collection blacklist.

Flood Detection

If 1000 events—not counting black list events—are uploaded to the KServer by an agent within one hour, further collection of events of that log type are stopped for the remainder of that hour. A new event is inserted into the log to record that collection has been suspended. A new event is inserted into the event log to record that collection was suspended. At the end of the hour, collection automatically resumes. This prevents short term heavy loads from swamping your KServer. Alarm detection and processing operates regardless of whether collection is suspended.

Passing Alert Information to Emails and Scripts

The following types of monitoring alert emails can be sent and formatted:

Single event log alert. Same template applied to all event log types.
Multiple event log alerts. Same template applied to all event log types.
Missing event log alert. Same template applied to all event log types.

Note: Changing this email alarm format changes the format for all Event Logs alert emails.

The following variables can be included in your formatted email alerts and in scripts.

Within an Email	Within a Script	Description
<at>	#at#	alert time
<cg>	#cg#	Event category
<cn>	#cn#	computer name
<db-view.column>	not available	Include a view.column from the database. For example, to include the computer name of the machine generating the alert in an email, use <db-vMachine.ComputerName>
<ed>	#ed#	event description
<ei>	#ei#	event id
<es>	#es#	event source
<esn>	#esn#	event source name
<et>	#et#	event time
<eu>	#eu#	event user
<ev>	#ev#	event set name
<gr>	#gr#	group ID
<id>	#id#	machine ID
<lt>	#lt#	log type (Application, Security, System)
<tp>	#tp#	event type - (Error, Warning, Informational, Success Audit, or Failure Audit)
	#subject#	subject text of the email message, if an email was sent in response to an alert
	#body#	body text of the email message, if an email was sent in response to an alert

Note: Only the following variables can be included in multiple event log alerts: <at> <ed> <ev> <gr> <id> <lt>.

Apply

Click Apply to apply alert parameters to selected machine IDs. Confirm the information has been applied correctly in the machine ID list.

Clear

Click Clear to remove all parameter settings from selected machine IDs.

Create Alarm

If checked and an alarm condition is encountered, an alarm is created. Alarms are displayed in Monitor > Dashboard List, Monitor > Alarm Summary and Reports > Logs > Alarm Log.

Create Ticket

If checked and an alarm condition is encountered, a ticket is created.

Run Script

If checked and an alarm condition is encountered, a script is run. You must click the select script link to choose a script to run. You can optionally direct the script to run on a specified range of machine IDs by clicking this machine ID link. These specified machine IDs do not have to match the machine ID that triggered the alarm condition.

Email Recipients

If checked and an alarm condition is encountered, an email is sent to the specified email addresses.

The email address of the currently logged in administrator displays in the Email Recipients field. It defaults from System > Preferences.
Click Format Email to display the Format Alert Email popup window. This window enables you to format the display of emails generated by the system when an alarm condition is encountered.
If the Add to current list radio option is selected, when Apply is clicked alert settings are applied and the specified email addresses are added without removing previously assigned email addresses.
If the Replace list radio option is selected, when Apply is clicked alert settings are applied and the specified email addresses replace the existing email addresses assigned.
If Removed is clicked, all email addresses are removed without modifying any alert parameters.
Email is sent directly from the KServer to the email address specified in the alert. The SMTP service in IIS sends the email directly to the address specified. Set the From Address using System > Configure.

Select All/Unselect All

Click the Select All link to check all rows on the page. Click the Unselect All link to uncheck all rows on the page.

Check-in status

These icons indicate the agent check-in status of each managed machine:

Agent has checked in

Agent has checked in and user is logged on. Tool tip lists the logon name.

Agent has not recently checked in

Agent has never checked in

Online but waiting for first audit to complete

The agent is online but remote control is disabled

The agent has been suspended

Machine.Group ID

The list of Machine ID.Group IDs displayed is based on the Machine ID / Group ID filter and the machine groups the administrator is authorized to see using System > Group Access.

Edit Icon

Click a row's edit icon to populate header parameters with values from that row. You can edit these values in the header and re-apply them.

Log Type

The type of event log being monitored.

ATSE

The ATSE response code assigned to machine IDs or SNMP devices:

A = Create Alarm
T = Create Ticket
S = Run Script
E = Email Recipients

EWISFCV

The event category being monitored.

Email Address

A comma separated list of email addresses where notifications are sent.

Event Set

The event set assigned to this machine ID. Multiple events sets can be assigned to the same machine ID.

Interval

The number of times an event occurs within a specified number of periods. Applies only if the Alert when this event occurs <N> times within <N> <periods> option is selected. Displays Missing if the Alert when this event doesn't occur within <N> <periods> option is selected. Displays 1 if the Alert when this event occurs once is selected.

Duration

The number of periods and event must occur to trigger an alert. Applies only if the Alert when this event occurs <N> times within <N> <periods> or Alert when this event doesn't occur within <N> <periods> options are selected.

Re-Arm

Displays the number of periods to wait before triggering any new alerts for the same combination of event set and event category. Applies only if a re-arm period greater than zero is specified using Ignore additional alarms for <N> <periods>.

Topic 4251: Send Feedback. Download a PDF of this online book from the first topic in the table of contents.