• 0
mfrancis@mcdonaldhopkins.com

Windows Event Logs - Applications and Services

Question

LogicMonitor does a great job capturing Application, System and Security events from the Windows Event Log via WMI.  We are trying to expand our Event Log monitoring to include events from the Applications and Services Logs.  These cannot be collected by LogicMonitor via WMI but the documentation says we should be able to collect these using Event Log subscriptions and write them to the Application log.  We have an event log subscription set up on one Windows server collecting events from others.  They are source initiated subscriptions, specifically AppLocker error events which we have being collected and written to the Application log of the collecting server.  The events are making it to Application Log but we are not receiving alerts in LogicMonitor.  I have tried a custom Event Source and even used the built-in one which should be collecting all Application Event Log errors occurring on the server.  We get alerts for application errors that occur on the server - just not the AppLocker errors despite them being listed in the log. 

I noticed the Log Name in these collected events shows "Microsoft-Windows-AppLocker/EXE and DLL" event though they are in the Application log.  Could this be the reason LogicMonitor is not alerting on them?  They are not found when using the Event Source Testing tool either.

Capture.JPG.c7366afc54927ef471f40005baa7f857.JPG

Wondering if anyone has any tips on how to use a subscription to alert on events from the Applications and Services Logs. 

Share this post


Link to post
Share on other sites

2 answers to this question

Recommended Posts

  • 0

I have the same issue. I need to monitor Windows Task Scheduler events.  Can anyone from LogicMonitor please respond and suggest the best way to achieve this.

Share this post


Link to post
Share on other sites
  • 0

This could be run as a data source using Powershell to grab and parse new events from a documented starting index/time.  I don't have time to write it just now as I'm still implementing our environment and getting it tuned up... but here's some quick pseudo code for it:

DataSource every 3 minutes:
- read state file (txt on collector - named by resource ID or name)
- - last line is time stamp + last event index number reetreived
- get-eventlog from recovered index forward (filter this on the host side)
- filter by Event ID on the collector (in the script)
- return the apropriate data to LM
- write last sampled event index to the state file

lather, rinse, repeat...

The dataSource gives you the ability to schedule a script, appliesTo a collector for the environment you're targeting allows you to access that Powershell remote environment and has a \\Collector\C$\Temp you can write to for the state files.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now