Forum Discussion

mfrancis's avatar
mfrancis
6 years ago

Windows Event Logs - Applications and Services

LogicMonitor does a great job capturing Application, System and Security events from the Windows Event Log via WMI.  We are trying to expand our Event Log monitoring to include events from the Applications and Services Logs.  These cannot be collected by LogicMonitor via WMI but the documentation says we should be able to collect these using Event Log subscriptions and write them to the Application log.  We have an event log subscription set up on one Windows server collecting events from others.  They are source initiated subscriptions, specifically AppLocker error events which we have being collected and written to the Application log of the collecting server.  The events are making it to Application Log but we are not receiving alerts in LogicMonitor.  I have tried a custom Event Source and even used the built-in one which should be collecting all Application Event Log errors occurring on the server.  We get alerts for application errors that occur on the server - just not the AppLocker errors despite them being listed in the log. 

I noticed the Log Name in these collected events shows "Microsoft-Windows-AppLocker/EXE and DLL" event though they are in the Application log.  Could this be the reason LogicMonitor is not alerting on them?  They are not found when using the Event Source Testing tool either.

Wondering if anyone has any tips on how to use a subscription to alert on events from the Applications and Services Logs. 

  • jaybird's avatar
    jaybird
    Former Employee
    5 years ago

    LogicMonitor does not, as of July 2020, support the monitoring of any logs located under the “Application and Services Logs” folder in the Windows Event Viewer snap-in console, as these logs aren’t natively exposed to WMI. If you would like to monitor your Application and Services Logs in LogicMonitor, you can use Microsoft Subscriptions to ‘copy’ logs from your Application and Services folder to another log folder (e.g. “Application” logs), as demonstrated in this video.

    Details here: https://www.logicmonitor.com/support/logicmodules/eventsources/types-of-events/windows-event-log-monitoring#subscriptions

  • Cole_McDonald's avatar
    Cole_McDonald
    Icon for Professor rankProfessor
    6 years ago

    This could be run as a data source using Powershell to grab and parse new events from a documented starting index/time.  I don't have time to write it just now as I'm still implementing our environment and getting it tuned up... but here's some quick pseudo code for it: 

    DataSource every 3 minutes:
- read state file (txt on collector - named by resource ID or name)
- - last line is time stamp + last event index number reetreived
- get-eventlog from recovered index forward (filter this on the host side)
- filter by Event ID on the collector (in the script)
- return the apropriate data to LM
- write last sampled event index to the state file

lather, rinse, repeat...

    The dataSource gives you the ability to schedule a script, appliesTo a collector for the environment you're targeting allows you to access that Powershell remote environment and has a \\Collector\C$\Temp you can write to for the state files.

  • Mosh's avatar
    Mosh
    Icon for Professor rankProfessor
    6 years ago

    I have the same issue. I need to monitor Windows Task Scheduler events.  Can anyone from LogicMonitor please respond and suggest the best way to achieve this.