• 1

Windows Event Management doubt(s)


Question

Hello,

Nowadays, we are migrating from CA IM to Logic Monitor platform, when it comes to the event logs monitoring we've some doubts on how to replicate those. 
Currently at IM we pick what we want to monitor (by creating profiles that look into the Severity, Source, ID, Message, etc...). I do understand this is possible within LM but, from what I checked it would require us to create a different event source every time the source changes (& we are talking about >100 variations).

With that in mind, using that method we would create a huge load on the collectors, correct (due to WMI limitations, etc...)?

Not sure if this was raised in the past but, is there any other approach/method we could try in order to accomplish this?

Appreciate the feedback.

Thank you!

 

Link to post
Share on other sites

7 answers to this question

Recommended Posts

  • 1
  • Administrators

Sorry, was headed into a meeting and didn't have time to explain.  Pre-reading: https://www.logicmonitor.com/support/logicmodules/eventsources/types-of-events/windows-event-log-monitoring Pay particular attention to the FILTEREDEVENTS option.

You can combine multiple sets of criteria into a single EventSource. You do this in your filters. As you found, you can set very specific filters so that each EventSource is responsible for alerting on a particular event. Instead, be less specific and one EventSource can capture multiple events. You can use RegEx to create a filter as complex as needed.  When the alert is opened the "Alert Message" template is used to create the alert message displayed in the alert. Since it uses tokens, you can use a single template for most (or all) of the events.

Link to post
Share on other sites
  • 0
21 minutes ago, Stuart Weenig said:

Sorry, was headed into a meeting and didn't have time to explain.  Pre-reading: https://www.logicmonitor.com/support/logicmodules/eventsources/types-of-events/windows-event-log-monitoring Pay particular attention to the FILTEREDEVENTS option.

You can combine multiple sets of criteria into a single EventSource. You do this in your filters. As you found, you can set very specific filters so that each EventSource is responsible for alerting on a particular event. Instead, be less specific and one EventSource can capture multiple events. You can use RegEx to create a filter as complex as needed.  When the alert is opened the "Alert Message" template is used to create the alert message displayed in the alert. Since it uses tokens, you can use a single template for most (or all) of the events.

 

No problem!!!

Ok I think I got that, within the 'Application' log we've multiple filters where we want to fetch events from multiple different sources & for each of those sources only grab specific IDs.
Example (just using two events we get from the Application events):

image.png.da669d4a4cbc9aa1af5c47e393485a1a.pngimage.png.291352f760d14771582acb87540d770e.png 

Both of those events fall into the 'Application' logs but contain different sources & different IDs per source.
From looking into the Event Source definition I'm able to pass the Source(s) & ID(s) but, in a separate way:

image.png.7de31bfb0decf71193870e47c3205512.png

This will not restrict those IDs to the actual Source(s).

But, if I use the Complex thing I can achieve it (examples below

First event (1st image) -> (EVENTID == 1540 || EVENTID == 1541) && (SOURCENAME ==~ /(?i)Citrix\sMetaframe\sConferencing\sManager.*/)
Second event (2nd image) -> (EVENTID == 9032) && (SOURCENAME ==~ /(?i)Citrix\sICA\sService.*/) 

Combining both (using OR logic) -> ((EVENTID == 1540 || EVENTID == 1541) && (SOURCENAME ==~ /(?i)Citrix\sMetaframe\sConferencing\sManager.*/)) || ((EVENTID == 9032) && (SOURCENAME ==~ /(?i)Citrix\sICA\sService.*/))

Would this work & only capture those 2?

If yes, that would be great :) 

image.png

Link to post
Share on other sites
  • 0
  • Administrators

Yes, to get to that level of complex logic, you'd need to use that combined logic in a complex expression. It's written in Groovy syntax, but i think your syntax should match:

image.png.396fa41e27db8e58f5f8f745a69f6ae9.png

Link to post
Share on other sites
  • 0
3 minutes ago, Stuart Weenig said:

Yes, to get to that level of complex logic, you'd need to use that combined logic in a complex expression. It's written in Groovy syntax, but i think your syntax should match:

image.png.396fa41e27db8e58f5f8f745a69f6ae9.png

 

Nice to hear that!

We'll start mapping our stuff & see if it works.
Using a sample event (that I can trigger on purpose) in order to test this out.

Will further update

  • Upvote 1
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.