Home | Add-In Help index | Main Help Index

NT Event Log Monitor - Event Log Configuration

When you select "Configure Add-In" from the IPSentry machine options editor, you will be presented with the main Event Log Monitor Configuration Window.

This window contains fields allowing you to specify which computer and log file you wish to monitor.  Within this window is a list of event log filters which should be used to evaluate the selected event log or logs.

The Process
During a monitoring cycle, the event log add-in will perform the following tasks:

1. Connect to the computer specified

2. Open the event log.

3. Evaluate events from the last event in the to the first.

4. If an event is found that matches the filter, alerts will be triggered.

5. If the date of an event is less than the last check, evaluation will stop.

6. The add-in will return the alert result to IPSentry. 

This document discusses the fields and entries on the main configuration window.

NT System (UNC)
Enter the name of the Workstation or Server containing the event log you wish to monitor in this field.  The name should be in UNC format (e.g. \\MYSERVER )  .

Browse (button)
Click this button if you wish to browse your network for a specific computer from a list of computers in your network neighborhood..  

Event Log
Select the event log you wish to monitor.  Valid selections include Application, Security, System, or ALL.  When select ALL, the Event Log Add-in will evaluate all log files until the event filter is matched or all recent events have been analyzed.

Ignore Connection Failures
Select this option to ignore problems accessing the remote computer.  If you receive many RPC errors alerts, this could be due to slow connection, invalid security, disabled PDC, or other accessibility errors.  By checking this option, alerts will only be triggered when the remote computer is accessible and the event logs can be analyzed. 

Locate All Events
Select this option to have the event logs checked from the last point check to the end of the log (rather than the reverse monitoring that is the default method.)

Using this method will cause the add-in to start scanning for matching events and trigger an alert if an event is found.  The remainder of the event log will not be skipped.  Thus, the next matching event in the log will trigger an event on the next cycle.

This option is new fore version 4.5.0 of the Event Log Monitoring Add-in.  Caution should be taken when selecting this option as a back-log may occur if matching events are constantly being added to the log file.  Also, you may find yourself inundated with alerts on every cycle because the add-in cache can not keep up.

This option also causes the monitoring task to take considerably more time in that it must evaluate every event in the log that was added since the last cycle or the last matching event thus increase the processing time.

We recommend that you do not select this option.  However, if you do select this option - it should be used only with RARE events and on log files that are not growing rapidly and should not be used over slow WAN connections due to the fact that all event data must be evaluated.

Logon As
Enter the user logon name required to access the remote computer.  This need only be used if the account under which IPSentry is running does not have access to the event logs on the remote system. (e.g. Different domain )

Password
Enter the password associated with the "Logon As" user name.  This value will be obfuscated for inclusion in the "ARGS" value returned to IPSentry.

Event Filters
The Event Filters list contains the details regarding the various filters that will be applied when analyzing the event log.

There are two types of event filters.

Include
Event filters marked as "Include" specify  that the event WILL be considered for triggering alert if all of the specifications within the filter match the event information.  Once the event has been considered, it will then be evaluated against any "Exclude" filters.

Exclude
Event filter marked as "Exclude" specify the filtering that will be used to discard events that match any of the "Include" filters. Once an event has been considered for triggering an alert through the "Include" option, it may be discarded if it matches any of the Exclude filters. 

Add (button)
Click the ADD button to insert a new filter into the list.

Edit (button)
After highlighting an existing filter in the list, click the EDIT button to modify the filter.

Remove (button)
After highlighting an existing filter in the list, click the REMOVE button to delete that filter.

Test
The TEST button allows you to perform a test of your settings to ensure that the results are as expected.  The TEST button causes the add-in to perform an evaluation of the event log using the current configuration.

When running in a live monitoring cycle, the add-in only evaluates events that have been written since the last check.  The TEST button on the other hand will allow you to evaluate the entire log file, or only entries that have been added during the current date. 

Entire Log
Check this option to have the test evaluate the entire event log.

Today Only
Check this option to have the test only evaluate entries placed in the log today. (faster)

Once you have configured and tested the settings, click OK to store your settings.

When you return to IPSentry, the "ARGS" field will contain XML encoded arguments, containing all of your settings, that will be provided to the add-in during each monitoring cycle.

It is not advisable that you edit this field directly since some values have been encoded for either security or data parsing reasons.

Related Topics

Getting Started

• Installation Overview

• License Agreement

• Pricing and Purchasing (https://secure.rgeinc.com)

• Entering Registration Code

• Support Information

User Interface Reference

• Invoking usage from IPSentry

• Configuration

• Event Filters

SCREEN SAMPLES