Forum Discussion

Vitor_Santos's avatar
5 years ago

Windows Event Management doubt(s)

Hello,

Nowadays, we are migrating from CA IM to Logic Monitor platform, when it comes to the event logs monitoring we've some doubts on how to replicate those. 
Currently at IM we pick what we want to monitor (by creating profiles that look into the Severity, Source, ID, Message, etc...). I do understand this is possible within LM but, from what I checked it would require us to create a different event source every time the source changes (& we are talking about >100 variations).

With that in mind, using that method we would create a huge load on the collectors, correct (due to WMI limitations, etc...)?

Not sure if this was raised in the past but, is there any other approach/method we could try in order to accomplish this?

Appreciate the feedback.

Thank you!

 

  • 42 minutes ago, Stuart Weenig said:

    Glob expressions?

     

    Okay... still kinda lost lol :( 

    Can you provide an example?

  • Anonymous's avatar
    Anonymous

    Sorry, was headed into a meeting and didn't have time to explain.  Pre-reading: https://www.logicmonitor.com/support/logicmodules/eventsources/types-of-events/windows-event-log-monitoring Pay particular attention to the FILTEREDEVENTS option.

    You can combine multiple sets of criteria into a single EventSource. You do this in your filters. As you found, you can set very specific filters so that each EventSource is responsible for alerting on a particular event. Instead, be less specific and one EventSource can capture multiple events. You can use RegEx to create a filter as complex as needed.  When the alert is opened the "Alert Message" template is used to create the alert message displayed in the alert. Since it uses tokens, you can use a single template for most (or all) of the events.

  • 21 minutes ago, Stuart Weenig said:

    Sorry, was headed into a meeting and didn't have time to explain.  Pre-reading: https://www.logicmonitor.com/support/logicmodules/eventsources/types-of-events/windows-event-log-monitoring Pay particular attention to the FILTEREDEVENTS option.

    You can combine multiple sets of criteria into a single EventSource. You do this in your filters. As you found, you can set very specific filters so that each EventSource is responsible for alerting on a particular event. Instead, be less specific and one EventSource can capture multiple events. You can use RegEx to create a filter as complex as needed.  When the alert is opened the "Alert Message" template is used to create the alert message displayed in the alert. Since it uses tokens, you can use a single template for most (or all) of the events.

     

    No problem!!!

    Ok I think I got that, within the 'Application' log we've multiple filters where we want to fetch events from multiple different sources & for each of those sources only grab specific IDs.
    Example (just using two events we get from the Application events):

     

    Both of those events fall into the 'Application' logs but contain different sources & different IDs per source.
    From looking into the Event Source definition I'm able to pass the Source(s) & ID(s) but, in a separate way:

    This will not restrict those IDs to the actual Source(s).

    But, if I use the Complex thing I can achieve it (examples below

    First event (1st image) -> (EVENTID == 1540 || EVENTID == 1541) && (SOURCENAME ==~ /(?i)Citrix\sMetaframe\sConferencing\sManager.*/)
    Second event (2nd image) -> (EVENTID == 9032) && (SOURCENAME ==~ /(?i)Citrix\sICA\sService.*/) 

    Combining both (using OR logic) -> ((EVENTID == 1540 || EVENTID == 1541) && (SOURCENAME ==~ /(?i)Citrix\sMetaframe\sConferencing\sManager.*/)) || ((EVENTID == 9032) && (SOURCENAME ==~ /(?i)Citrix\sICA\sService.*/))

    Would this work & only capture those 2?

    If yes, that would be great :)/emoticons/smile@2x.png 2x" title=":)" width="20"> 

  • Anonymous's avatar
    Anonymous

    Yes, to get to that level of complex logic, you'd need to use that combined logic in a complex expression. It's written in Groovy syntax, but i think your syntax should match:

  • 3 minutes ago, Stuart Weenig said:

    Yes, to get to that level of complex logic, you'd need to use that combined logic in a complex expression. It's written in Groovy syntax, but i think your syntax should match:

     

    Nice to hear that!

    We'll start mapping our stuff & see if it works.
    Using a sample event (that I can trigger on purpose) in order to test this out.

    Will further update

  • It works smoothly! Just concerned with the load on the collectors (once we add a quite big expression) - Lets see how it goes

    Thanks a lot for you help Stuart!