Event Log Check

General information

This check can be used to monitor Windows Event Log records either on the local computer or on a remote one. How does it works? On the General page of this check you specify the name of the computer to monitor Windows Event Log records on. Then, you can specify filtering criteria for Event Log messages on the Settings page of the check dialog box. You have a large set of options to specify any filter you want.

As soon as you specify the computer and filter criteria for Event Log messages, you can start the check. When check is started, it marks all currently available Event Log messages as read and tries to monitor new messages. Each time a new message is added, the check tries to apply the filters specified on the Settings page. If the new message satisfies all your filtering criteria, the check assumes an "error" message is found and changes its status from successful to failed. Next time the check connects to the Event Log database, this message will be already marked as read and excluded from analysis.

Here is an example: Suppose we have an Event Log database with the thousands of entries on the local host. We configure our Event Log check in the following way: select the Application source log file, clear all check boxes except the Error Event Type. It means that filtering criteria will be true only when an error message is received. Save the check and start it.

Now, go to the console and type net start aaaaaa trying to start a non-existing service. The error message will be written to the Application log file of the Event Log. After the check checks the Event Log and finds this message, it will make sure that this message meets the filtering criteria. After that the check will change its status to failed. Wait for a while until the check looks through the Event Log one time more. In this case the previous message has been already monitored and the check will set its state to successfule unless another error message is found.

As you can see from the example above, the Event Log check will always be successful after it is started for the first time.

Status Conditions

• Success - No messages matching the filtering criteria have been added to the Event Log database since the last check.
• Failed - One or more messages matching the filtering criteria have been added to the Event Log database since the last check.

Check Settings

Besides the standard properties, you should specify the following parameters for this check:

• Source logfile - Select the source log file of windows Event Log. This log file will be monitored for messages. You can type a custom log file name if you have any non-standard log files configured.
  Event ID - If you want to monitor the Event Log for the event with the specified Event ID, select this check box and enter a numerical event ID.
• Category - Category identifier. Unfortunately, there is no way you can see category identifiers in Windows - only category symbolic names. You must be a software vendor to know the category ID of a message.
• Event source - specify the source of a message event to monitor for. Usually, event source is the name of the application that writes a message to the Event Log.
• Description - Every message has a description. You can find messages with a certain description. Use this field to specify words separated by a space or regular expression. The following options are available for descriptions:
  • Any word - any of the specified words must be present in the message description. Words are separated by a space.
  • All words - all words must be present in the description. Words are separated by a space.
  • Regular expression - the description filter is defined as a regular expression.
• Event Types - Select the check box to monitor for Event Log messages of a certain type(s).