Event Log Alerts

Monitor > Agent Monitoring > Event Log Alerts

The Event Log Alerts page alerts when an event log entry for a selected machine matches a specified criteria. After selecting the event log type, you can filter the alert conditions specified by event set and by event category. You then set the alert action to take in response to the alert condition specified.

Note: You can display event logs directly. On a Windows machine click Start, then click Control Panel, then click Administrative Tools, then click Event Viewer. Click Application, Security or System to display the events in each log.

Event Sets

Because the number of events in Windows events logs is enormous the VSA uses a record type called an event set to filter an alert condition. Event sets contain one or more conditions. Each condition contains filters for different fields in an event log entry. The fields are source, category, event ID, user, and description. An event log entry has to match all the field filters of a condition to be considered a match. A field with an asterisk character (*) means any string, including a zero string, is considered a match. A match of any one of the conditions in an event set is sufficient to trigger an alert for any machine that event set is applied to. For details on how to configure event sets, see Monitor > Event Log Alerts > Edit Event Sets.

Sample Event Sets

A growing list of sample event sets are provided. The names of sample event sets begin with ZC. You can modify sample event sets, but its better practice to copy a sample event set and customize the copy. Sample event sets are subject to being overwritten every time the sample sets are updated during a maintenance cycle.

Global Event Log Black List

Each agent processes all events, however events listed on a "black list" are not uploaded to the VSA server. There are two black lists. One is updated periodically by Kaseya and is named EvLogBlkList.xml. The second one, named EvLogBlkListEx.xml, can be maintained by the service provider and is not updated by Kaseya. Both are located in the \Kaseya\WebPages\ManagedFiles\VSAHiddenFiles directory. Alarm detection and processing operates regardless of whether entries are on the collection blacklist.

Flood Detection

If 1000 events—not counting black list events—are uploaded to the Kaseya Server by an agent within one hour, further collection of events of that log type are stopped for the remainder of that hour. A new event is inserted into the event log to record that collection was suspended. At the end of the hour, collection automatically resumes. This prevents short term heavy loads from swamping your Kaseya Server. Alarm detection and processing operates regardless of whether collection is suspended.

Monitor Wizard Icon for Event Sets

The Agent > Agent Logs > Event Logs tab displays event log data collected by Windows. Not available for Win9x. Only event logs that apply to the selected machine display in the event log drop-down list. A indicates a log entry classified as a warning. A indicates a log entry classified as an error. A indicates a log entry classified as informational.

Select a log entry, then click the Setup Event Log Monitor to create a new event set criteria based on that log entry. The new event set criteria can be added to any new or existing event set. The new or changed event set is immediately applied to the machine that served as the source of the log entry. Changing an existing event set affects all machines assigned to use that event set. The monitor wizard icon displays in:

• Agent > Agent Logs
• Live Connect > Event Viewer
• Live Connect > Agent Data > Event Log

See Monitor > Event Log Alerts for a description of each field shown in the wizard.

Configuring and Assigning Event Log Alerts

1. Optionally enable event logging for the machines you want to monitor using Agent > Event Log Settings. Event categories highlighted in red (EWISFCV) indicate these event categories are not collected by the VSA.

   Note: If NO or ALL event logs types and categories are collected for a machine, then event log alerts are generated for that machine. If SOME event log types and categories are collected for a machine, then NO event log alerts are generated.

2. Select the event set, the event log type and other parameters using the Event Log Alerts > Assign Event Set header tab.
3. Optionally click the Edit button on the Assign Event Set header tab to create or change the alert conditions for the event sets you assign.
4. Specify the actions to take in response to an alert condition using the Event Log Alerts > Set Alert Actions header tab.
5. Optionally click the Format Email button on Set Alert Actions header tab to change the format of mail alerts for event sets.
6. Select the machines an event set should be applied to.
7. Click the Apply button.

Actions

• Apply - Applies a selected events set to selected machine IDs. Confirm the information has been applied correctly in the machine ID list.
• Clear - Removes selected event set from selected machine IDs.
• Clear All - Removes all event set settings from selected machine IDs.

Paging Area

The paging area displays the same columns whichever header tab is selected.

• Select All/Unselect All - Click the Select All link to check all rows on the page. Click the Unselect All link to uncheck all rows on the page.
• Check-in status - These icons indicate the agent check-in status of each managed machine. Hovering the cursor over a check-in icon displays the agent Quick View window.

  Online but waiting for first audit to complete

  Agent online

  Agent online and user currently logged on.

  Agent online and user currently logged on, but user not active for 10 minutes

  Agent is currently offline

  Agent has never checked in

  Agent is online but remote control has been disabled

  The agent has been suspended

• Machine.Group ID - The list of Machine.Group IDs displayed is based on the Machine ID / Group ID filter and the machine groups the user is authorized to see using System > User Security > Scopes.
• Edit Icon - Click a row's edit icon to populate header parameters with values from that row. You can edit these values in the header and re-apply them.
• Log Type - The type of event log being monitored.
• ATSE - The ATSE response code assigned to machine IDs or SNMP devices:
  • A = Create Alarm
  • T = Create Ticket
  • S = Run Agent Procedure
  • E = Email Recipients
• EWISFCV - The event category being monitored.
• Email Address - A comma separated list of email addresses where notifications are sent.
• Event Set - The event set assigned to this machine ID. Multiple events sets can be assigned to the same machine ID.
• Interval - The number of times an event occurs within a specified number of periods. Applies only if the Alert when this event occurs <N> times within <N> <periods> option is selected. Displays Missing if the Alert when this event doesn't occur within <N> <periods> option is selected. Displays 1 if the Alert when this event occurs once is selected.
• Duration - The number of periods an event must occur to trigger an alert condition. Applies only if the Alert when this event occurs <N> times within <N> <periods> or Alert when this event doesn't occur within <N> <periods> options are selected.
• Re-Arm - Displays the number of periods to wait before triggering any new alert conditions for the same combination of event set and event category. Applies only if a re-arm period greater than zero is specified using Ignore additional alarms for <N> <periods>.