Hi dewach
can you post here screenshot with Windows Event Log monitor settings? Or post precise format of the keywords string.
The keywords could be filled with single sentence or list of words or phrases. In following format:
"keyword1", "keyword2", "phrase number one"
Messages in Events which are found by Log Source, Event Type and Event Id are scanned for those keywords. Note that the only one of the keyword must be found in the message to mark this event as positive match.
Here's the definition:
I've also tried a number of other iterations, like just "Communication link failure", with the same result.
Thanks!
Could you please also post screenshot from Windows Event Log so we could see how exactly the log message looks?
Thank you
Here's the "correct" event log (we're matching successfully):
The issue is that we're _also_ matching messages like this:
Thanks!
Hi. The settings look good. I try simulate this issue but I am receiving correct results. There is another possibility. When APM server and the polled device is in different time zones or there is time different time on both machines the Evens log monitor could give false positives. Because the time period where the monitor is looking for the Events is calculated on server in local time. That means the time window where the monitor is looking could be shifted forward or back in time. Please check both machines ,the server and the polled node, if there is a time difference. You probably now that but just for completeness the size of time window where is searched for the event is determined on setting "Number of past polling intervals". In your case is set to 1.5 which means monitor is searching among events logged in last 7.5 minutes.
I hope this help you. If doesn't please open support ticket for this issue.
Unfortunately that's not an issue here - both Orion and the monitored servers are in the same datacenter, same timezone, and have their clocks synchronized.
Looks like I'll have to go the support ticket route.
When you do please can you post here the support ticket number. I would like look at this closer.
Thanks
Hello,
to close the loop on this one: We have found that there is issue in the Windows Event Log monitor - if the multiline textbox with keywords contains new line character at the end, this new line character is used as new keyword for matching. So all events containing new line character cause that the monitor goes to Down state.
Removing empty lines from keywords textbox resolved the issue.
Thanks,
Lukas
Hi dewach--
Just as Donderka suggested, please post back here with the ticket #. Also, please include any solutions you get from support for this issue.
Much Appreciated!
DH
Hi randallzapata--
Did you try Lukas.Belza's instructions?
DH
