Overview

The Windows Event Log Event Monitor is the best way to detect events and get alerts. It can monitor any event logs you choose including the extended event logs introduced with Windows Server 2008. It includes a wide variety of filtering options and can also export detected events to a SQL server database for archival, auditing, and data warehouse integration.

Use Cases

• Monitoring specific event logs while filtering out others
• Monitoring extended event logs

Monitoring Options

This event monitor provides the following options:

Event Log

Select the event log that the event monitor will check. For event logs other than the standard three, go to the Event Viewer and right-click on the event log you want to monitor. Choose "Properties" from the menu. In the window that appears copy and paste the value from the "Full Name" text box.

Alert with [Info/Warning/Error/Critical] if the device cannot be contacted

Use this option to alert if the event monitor cannot connect to the network device.

Alert with [Info/Warning/Error/Critical] if the event log is full

Most event logs are configured to automatically overwrite older log entries. For event logs with this option disabled, use this option to get alerts when they are full.

Alert if the event log has more than a specified number of entries

Use this option to generate alerts based on the number of events in the event log.

Alert with [Info/Warning/Error/Critical] when specific events are found

Use this option to scan the contents of the event log for records that match the filters you specify.

Types

Select the event log types that will be checked. You can select multiple event types.

Event IDs

Each event record contains an event ID. The event ID usually uniquely identifies an event from a particular source; however, this can vary depending on the application or service that generated the event. Different sources may use the same event ID; however, events from a particular source should have their own unique IDs.

Event User Names

Filter by event user name. Not many events have user names associated with them, but for those that do, it can be very useful to filter on it and track down what caused the event to be generated.

Source

Enter one or more sources that the event monitor will use as a filter.

Event Text

With this option, you can specify text strings that the event monitor will look for and use based on the filtering option that you choose.

Show the first [#] matching events

With this option selected the event monitor will include the matching event log records in all notifications.

Only check for new event log records (recommended)

This option tells the event monitor to pick up where it last stopped and look only at new event log records. If you turn this option off the event monitor will scan the entire event log on every run.

Always report success when matches are found

With this option enabled, the event monitor will report the success status for all matching events. It is mostly useful for conditions where you want to detect informational events.

Attempt to convert SIDs to account names

When this option is selected, the event monitor will search for Security Identifiers (SIDs) in the events and attempt to convert them into account names which are easier to read and understands.

Export matching events to a SQL Server database

Use this option to export the matching events to a SQL Server database. The event monitor will automatically create the necessary table and populate it with the event log data. Specify the server name, database name, and credentials to allow the event monitor to connect. The table will be called 'windowseventlog'.

Authentication and Security

The account used for authentication must be a member of the Event Log Readers group or have admin rights. To monitor the Windows Security event log, admin rights are required.

Protocols

Data Points

This event monitor does not generate any data points.

Sample Output

Tutorial

To view the tutorial for this event monitor, click here.