Alerts - Event LogsThe Alerts - Event Logs page triggers an alert when an event log entry for a selected machine matches a specified criteria. After selecting the event log type, you can filter the alarm conditions specified by event set and by event category. Note: You can display event logs directly. On a Windows machine click Start, then click Control Panel, then click Administrative Tools, then click Event Viewer. Click Application, Security or System to display the events in each log. Prerequisite Event logging must be enabled for a particular machine using Agent > Event Log Settings. Windows Event Logs An event log service runs on Windows operating systems (Not available with Win9x). The event log service enables event log messages to be issued by Window based programs and components. These events are stored in event logs located on each machine. The event logs of managed machines can be stored in the KServer database, serve as the basis of alerts and reports, and be archived. Depending on the operating system, the event log types available include but are not limited to:
The list of event types available to select can be updated using Monitoring > Update Lists by Scan. Windows events are further classified by the following event log categories:
Event logs are used or referenced by the following VSA pages:
Event Sets Because the number of events in Windows events logs is enormous the VSA uses a record type called an event set to filter an alarm condition. Event sets contain one or more conditions. Each condition contains filters for different fields in an event log entry. The fields are source, category, event ID, user, and description. An event log entry has to match all the field filters of a condition to be considered a match. A field with an asterisk character (*) means any string, including a zero string, is considered a match. A match of any one of the conditions in an event set is sufficient to trigger an alert for any machine that event set is applied to. For details on how to configure event sets, see Monitor > Alerts > Event Logs > Edit Event Sets. Sample Event Sets A growing list of sample event sets are provided. The names of sample event sets begin with ZC. You can modify sample event sets, but its better practice to copy a sample event set and customize the copy. Sample event sets are subject to being overwritten every time the sample sets are updated during a maintenance cycle. Creating an Event Log Alert
Global Event Log Black List Each agent processes all events, however events listed on a "black list" are not uploaded to the VSA server. There are two black lists. One is updated periodically by Kaseya and is named Flood Detection If 1000 events—not counting black list events—are uploaded to the KServer by an agent within one hour, further collection of events of that log type are stopped for the remainder of that hour. A new event is inserted into the event log to record that collection was suspended. At the end of the hour, collection automatically resumes. This prevents short term heavy loads from swamping your KServer. Alarm detection and processing operates regardless of whether collection is suspended. Passing Alert Information to Emails and Procedures The following types of monitoring alert emails can be sent and formatted:
Note: Changing this email alarm format changes the format for all The following variables can be included in your formatted email alerts and in procedures.
Note: Only the following variables can be included in multiple event log alerts: <at> <ed> <ev> <gr> <id> <lt>. Apply Click Apply to apply parameters to selected machine IDs. Confirm the information has been applied correctly in the machine ID list. Clear Click Clear to remove all parameter settings from selected machine IDs. Create Alarm If checked and an alarm condition is encountered, an alarm is created. Alarms are displayed in Monitor > Dashboard List, Monitor > Alarm Summary and Info Center > Reports > Logs > Alarm Log. Create Ticket If checked and an alarm condition is encountered, a ticket is created. Run Script If checked and an alarm condition is encountered, an agent procedure is run. You must click the select agent procedure link to choose an agent procedure to run. You can optionally direct the agent procedure to run on a specified range of machine IDs by clicking this machine ID link. These specified machine IDs do not have to match the machine ID that encountered the alarm condition. Email Recipients If checked and an alarm condition is encountered, an email is sent to the specified email addresses.
Select All/Unselect All Click the Select All link to check all rows on the page. Click the Unselect All link to uncheck all rows on the page. Check-in status These icons indicate the agent check-in status of each managed machine. Hovering the cursor over a check-in icon displays the agent quick view window. Online but waiting for first audit to complete Agent online Agent online and user currently logged on. Agent online and user currently logged on, but user not active for 10 minutes Agent is currently offline Agent has never checked in Agent is online but remote control has been disabled The agent has been suspended Machine.Group ID The list of Machine.Group IDs displayed is based on the Machine ID / Group ID filter and the machine groups the user is authorized to see using System > User Security > Scopes. Edit Icon Click a row's edit icon to populate header parameters with values from that row. You can edit these values in the header and re-apply them. Log Type The type of event log being monitored. ATSE The ATSE response code assigned to machine IDs or SNMP devices:
EWISFCV The event category being monitored. Email Address A comma separated list of email addresses where notifications are sent. Event Set The event set assigned to this machine ID. Multiple events sets can be assigned to the same machine ID. Interval The number of times an event occurs within a specified number of periods. Applies only if the Alert when this event occurs <N> times within <N> <periods> option is selected. Displays Duration The number of periods and event must occur to trigger an alarm condition. Applies only if the Alert when this event occurs <N> times within <N> <periods> or Alert when this event doesn't occur within <N> <periods> options are selected. Re-Arm Displays the number of periods to wait before triggering any new alarm conditions for the same combination of event set and event category. Applies only if a re-arm period greater than zero is specified using Ignore additional alarms for <N> <periods>. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Topic 4251: Send Feedback. Download a PDF of this online book from the first topic in the table of contents. Print this topic. |