Next Topic

Previous Topic

Book Contents

Alerts - Event Logs

The Alerts - Event Logs page triggers an alert when an event log entry for a selected machine matches a specified criteria. After selecting the event log type, you can filter the alarm conditions specified by event set and by event category.

Note: You can display event logs directly. On a Windows machine click Start, then click Control Panel, then click Administrative Tools, then click Event Viewer. Click Application, Security or System to display the events in each log.

Prerequisite

Event logging must be enabled for a particular machine using Agent > Event Log Settings.

Windows Event Logs

An event log service runs on Windows operating systems (Not available with Win9x). The event log service enables event log messages to be issued by Window based programs and components. These events are stored in event logs located on each machine. The event logs of managed machines can be stored in the KServer database, serve as the basis of alerts and reports, and be archived.

Depending on the operating system, the event log types available include but are not limited to:

  • Application log
  • Security log
  • System log
  • Directory service log
  • File Replication service log
  • DNS server log

The list of event types available to select can be updated using Monitoring > Update Lists by Scan.

Windows events are further classified by the following event log categories:

  • Error
  • Warning
  • Information
  • Success Audit
  • Failure Audit
  • Critical - Applies only to Vista, Windows 7 and Windows Server 2008
  • Verbose - Applies only to Vista, Windows 7 and Windows Server 2008

Event logs are used or referenced by the following VSA pages:

Event Sets

Because the number of events in Windows events logs is enormous the VSA uses a record type called an event set to filter an alarm condition.

Event sets contain one or more conditions. Each condition contains filters for different fields in an event log entry. The fields are source, category, event ID, user, and description. An event log entry has to match all the field filters of a condition to be considered a match. A field with an asterisk character (*) means any string, including a zero string, is considered a match. A match of any one of the conditions in an event set is sufficient to trigger an alert for any machine that event set is applied to.

For details on how to configure event sets, see Monitor > Alerts > Event Logs > Edit Event Sets.

Sample Event Sets

A growing list of sample event sets are provided. The names of sample event sets begin with ZC. You can modify sample event sets, but its better practice to copy a sample event set and customize the copy. Sample event sets are subject to being overwritten every time the sample sets are updated during a maintenance cycle.

Creating an Event Log Alert

  1. On the Monitor > Alerts page select the event log type using the drop-down list.
  2. Select the Event Set filter used to filter the events that trigger alerts. By default <All Events> is selected.
  3. Check the box next to any of the following event category:
    • Error
    • Warning
    • Information
    • Success Audit
    • Failure Audit
    • Critical - Applies only to Vista, Windows 7 and Windows Server 2008
    • Verbose - Applies only to Vista, Windows 7 and Windows Server 2008

      Note: Red letters indicate logging disabled. Event logs may be disabled by the VSA for a particular machine, based on settings defined using Agent > Event Log Settings. A particular event category may be not be available for certain machines, such as the Critical and Verbose event categories.

  4. Specify the frequency of the alarm condition required to trigger an alert:
    • Alert when this event occurs once.
    • Alert when this event occurs <N> times within <N> <periods>.
    • Alert when this event doesn't occur within <N> <periods>.
    • Ignore additional alarms for <N> <periods>.
  5. Click the Add or Replace radio options, then click Apply to assign selected event type alerts to selected machine IDs.
  6. Click Remove to remove all event based alerts from selected machine IDs.

Global Event Log Black List

Each agent processes all events, however events listed on a "black list" are not uploaded to the VSA server. There are two black lists. One is updated periodically by Kaseya and is named EvLogBlkList.xml. The second one, named EvLogBlkListEx.xml, can be maintained by the service provider and is not updated by Kaseya. Both are located in the \Kaseya\WebPages\ManagedFiles\VSAHiddenFiles directory. Alarm detection and processing operates regardless of whether entries are on the collection blacklist.

Flood Detection

If 1000 events—not counting black list events—are uploaded to the KServer by an agent within one hour, further collection of events of that log type are stopped for the remainder of that hour. A new event is inserted into the event log to record that collection was suspended. At the end of the hour, collection automatically resumes. This prevents short term heavy loads from swamping your KServer. Alarm detection and processing operates regardless of whether collection is suspended.

Passing Alert Information to Emails and Procedures

The following types of monitoring alert emails can be sent and formatted:

  • Single event log alert. Same template applied to all event log types.
  • Multiple event log alerts. Same template applied to all event log types.
  • Missing event log alert. Same template applied to all event log types.

Note: Changing this email alarm format changes the format for all Event Logs alert emails.

The following variables can be included in your formatted email alerts and in procedures.

Within an Email

Within a Procedure

Description

<at>

#at#

alert time

<cg>

#cg#

Event category

<cn>

#cn#

computer name

<db-view.column>

not available

Include a view.column from the database. For example, to include the computer name of the machine generating the alert in an email, use <db-vMachine.ComputerName>

<ed>

#ed#

event description

<ei>

#ei#

event id

<es>

#es#

event source

<esn>

#esn#

event source name

<et>

#et#

event time

<eu>

#eu#

event user

<ev>

#ev#

event set name

<gr>

#gr#

group ID

<id>

#id#

  1. machine ID

<lt>

#lt#

log type (Application, Security, System)

<tp>

#tp#

event type - (Error, Warning, Informational, Success Audit, or Failure Audit)

 

#subject#

subject text of the email message, if an email was sent in response to an alert

 

#body#

body text of the email message, if an email was sent in response to an alert

Note: Only the following variables can be included in multiple event log alerts: <at> <ed> <ev> <gr> <id> <lt>.

Apply

Click Apply to apply parameters to selected machine IDs. Confirm the information has been applied correctly in the machine ID list.

Clear

Click Clear to remove all parameter settings from selected machine IDs.

Create Alarm

If checked and an alarm condition is encountered, an alarm is created. Alarms are displayed in Monitor > Dashboard List, Monitor > Alarm Summary and Info Center > Reports > Logs > Alarm Log.

Create Ticket

If checked and an alarm condition is encountered, a ticket is created.

Run Script

If checked and an alarm condition is encountered, an agent procedure is run. You must click the select agent procedure link to choose an agent procedure to run. You can optionally direct the agent procedure to run on a specified range of machine IDs by clicking this machine ID link. These specified machine IDs do not have to match the machine ID that encountered the alarm condition.

Email Recipients

If checked and an alarm condition is encountered, an email is sent to the specified email addresses.

  • The email address of the currently logged on user displays in the Email Recipients field. It defaults from System > Preferences.
  • Click Format Email to display the Format Alert Email popup window. This window enables you to format the display of emails generated by the system when an alarm condition is encountered. This option only displays for master role users.
  • If the Add to current list radio option is selected, when Apply is clicked alert settings are applied and the specified email addresses are added without removing previously assigned email addresses.
  • If the Replace list radio option is selected, when Apply is clicked alert settings are applied and the specified email addresses replace the existing email addresses assigned.
  • If Remove is clicked, all email addresses are removed without modifying any alert parameters.
  • Email is sent directly from the KServer to the email address specified in the alert. Set the From Address using System > Outbound Email.

Select All/Unselect All

Click the Select All link to check all rows on the page. Click the Unselect All link to uncheck all rows on the page.

Check-in status

These icons indicate the agent check-in status of each managed machine. Hovering the cursor over a check-in icon displays the agent quick view window.

Online but waiting for first audit to complete

Agent online

Agent online and user currently logged on.

Agent online and user currently logged on, but user not active for 10 minutes

Agent is currently offline

Agent has never checked in

Agent is online but remote control has been disabled

The agent has been suspended

Machine.Group ID

The list of Machine.Group IDs displayed is based on the Machine ID / Group ID filter and the machine groups the user is authorized to see using System > User Security > Scopes.

Edit Icon

Click a row's edit icon to populate header parameters with values from that row. You can edit these values in the header and re-apply them.

Log Type

The type of event log being monitored.

ATSE

The ATSE response code assigned to machine IDs or SNMP devices:

  • A = Create Alarm
  • T = Create Ticket
  • S = Run Agent Procedure
  • E = Email Recipients

EWISFCV

The event category being monitored.

Email Address

A comma separated list of email addresses where notifications are sent.

Event Set

The event set assigned to this machine ID. Multiple events sets can be assigned to the same machine ID.

Interval

The number of times an event occurs within a specified number of periods. Applies only if the Alert when this event occurs <N> times within <N> <periods> option is selected. Displays Missing if the Alert when this event doesn't occur within <N> <periods> option is selected. Displays 1 if the Alert when this event occurs once is selected.

Duration

The number of periods and event must occur to trigger an alarm condition. Applies only if the Alert when this event occurs <N> times within <N> <periods> or Alert when this event doesn't occur within <N> <periods> options are selected.

Re-Arm

Displays the number of periods to wait before triggering any new alarm conditions for the same combination of event set and event category. Applies only if a re-arm period greater than zero is specified using Ignore additional alarms for <N> <periods>.