Creating an Event Log Monitor Rule
The following section provides instructions on how to create an typical Event Log Monitor Rule. The general instructions apply to all the monitors that run within the Event Log group.
Event Log Monitor Rules specific criteria fields
When adding rule criteria the following pages and fields are specific are specific to Event Log Monitors.
Criteria Page
Event Log Parameters section
Fields in this section define the characteristics of the event as found in the Event Log.
Criteria Type
Use the radio buttons to select whether matching events are included or excluded from the rule criteria. Exclusions can be used to filter out commonly occurring events.
Event Type
Select the type of event for which this rule applies. The following event types can be selected and multiple selections are allowed. At least one event type must be selected.
- Error: All error log messages are selected.
- Information: All information log messages are selected.
- Warning: All warning log messages are selected.
- Audit Failure: All audit failure log messages are selected.
- Audit Success: All audit success log messages are selected.
Event Source
Enter a specific source to identify the origin of the event log message. Use the Comparison field to determine whether the origin should be equal to or different from the entry in the Value field.
Event Category
Enter a specific category to determine the group in which the event log message originated. Use the Comparison field to determine whether the origin should be equal to or different from the entry in the Value field.
Event ID
Enter a unique Event ID that is used to select the event log message. Use the Comparison field to determine whether the origin should be equal to, greater than, greater than or equal to, less than, less than or equal to or different from the entry in the Value field.
Event User
Enter the name of a user that is used to select an event log message that was created as a result of this user's activity. Use the Comparison field to determine whether the origin should be equal to or different from the entry in the Value field.
Event Message
Alert page
Criteria Alert Details section
Fields in this section define alert settings that override the settings made on the Alert page at Rule level. This provides a more criteria specific alert message to be generated.
Override Rule Default
Alert Text
Enter the actual text of the alert or use the available Substitution Variables to construct the message text of the alert.
to display a list of textual and numeric parameters that can be used to amend the actual Substitution Variable value. Alert Example
Displays an example of how the Alert Text will read using the selected Substitution Variables and user-entered text.
Advanced page
Wildcard Characters section
Fields in this section determine alternative characters that can be used for multiple or single character substitution.
Use * As A Substitute For Zero Or More Characters
Specify a character, other than '*' that will be used as a wildcard substitution for none or multiple characters in this rule.
Use ? As A Substitute For A Single Character
Specify a character, other than '?', that will be used as a wildcard substitution of a single character in this rule.
Auto-Close Options section
These fields determine if the auto-closing of Enterprise Console Alerts is required and if so, the delay invoked before the auto-close becomes effective.
Auto-Close Enterprise Console Alerts
Click this option to automatically close any alerts sent to the Enterprise Console by this rule. When the rule is checked, if the criteria selection would not currently result in an alert and there are previously raised outstanding alerts in existence, the existing alerts are closed either immediately or after the specified Delay By period if the criteria is still not triggering.
• A CPU rule has criteria to alert if the CPU % Processor Time is above 75%.
• It also has Auto-Close specified to Auto-Close Enterprise Console Alerts with a Delay period of 5 minutes.
The rule criteria is checked and triggers as the CPU is above 75%. An alert is sent to the Enterprise Console. At the next check interval, including any time for which the rule is suspended, the rule criteria is checked again and the CPU is below the required threshold. As the criteria has auto-close specified, the outstanding alert is tagged to be automatically closed five minutes later.
The rule criteria continues to be checked and if the CPU does not cause any further triggers, the existing alert is closed at the tagged auto-close time.
Delay By
If the Auto-Close Enterprise Console Alerts option is enabled, specify the delay time period after which the alert is automatically closed providing the criteria has not triggered again in the next check interval. The time period can be specified in Minutes, Hours or Days.
Using the Browse utility
From the Add Criteria dialog, used when adding criteria for Event Log Monitor rules, a Browse facility provides both summary and detail information about existing entries in each of the three log types.
Get Next
By default, the 100 most recent entries are displayed. Click Get Next to retrieve the specified number of Event Log Records. This figure can be increased or decreased as required by either over-typing the existing entry or using the up and down arrows to amend the figure.
Details
Click Details to display the Event Properties dialog showing detailed information for the event log. From this dialog, move through further logs in the summary display by using the up and down arrows. After finishing viewing the detail information, click OK to return to the main Event Log Viewer display.
Select
Single-click on an event log on this display and then click Select to automatically populate the rule criteria fields with the detailed log information from the selected event log.
Example Application Event Log Monitor rule
This example rule checks that any events sent to the Windows Application Event Log do not contain the words: Backup failed.
This is useful if there is a device on which regular backups are performed as this rule can ensure that these are completing successfully. If the rule is triggered, an alert is sent to the Enterprise Console (although any action can be specified to suit a particular requirement).
- From the Systems panel of the Central Configuration Manager, select the system to which the monitor rule is to be applied and expand the Server Manager > Event Log Monitors (Standard) view so that the monitors are displayed.
- Select the Application Event Log Monitor and click Add Rule to display the Add Rule Detail dialog.
- Enter a Description of ‘Check for Backup Failures’. Leave other fields on this page as the default settings.
- Select the Criteria tab in the left navigation pane of the Add Rule Detail dialog and click Add Criteria.
- In Event Type Settings clear the Information, Warning, Audit Failure and Audit Success settings.
- Leave all comparison values as ‘=’. In the Event Source Value field, enter the name of the system. This name is used in the alert message.
- Enter ‘None’ as the Event Category Value.
- Enter ‘9999’ as the Event ID Value.
- Enter ‘System’ as the Event User Value.
- Using wild cards to capture any instance of backup failure, enter ‘*Backup Failed*’ as the Event Message Value and click OK.
- Select the Actions tab in the left navigation pane of the Add Rule Detail dialog and click Add Action.
- Select the Send Enterprise Console Alert action. Click OK to open the Console Action dialog. Leave the fields as their default settings and click OK.
- On the Add Rule Detail dialog, click OK to create the rule, which is then displayed in the System Rule panel for the Application Event Log Monitor.
- From the Central Configuration Manager menu ribbon, click
Save. The rule is now active within the monitor.