Event Log Template 'Include events' keywords function not working

hilbertd21

We are trying to set up active monitoring for catching windows event id's on Windows Domain Controllers using a Windows Event Log template with polling method RPC.

The Windows Event Log monitor to set component to 'Down' state and alert on when specific Windows Log Source and Event IDs are generated on a Windows 2008R2 Domain Controller. Orion NPM instance that this template runs from is Orion Platform 2013.2.0, SAM 6.0.0, NCM 7.2.1, NPM 10.6, NTA 3.11.0, IVIM 1.8.1, VNQM 4.1

As seen below, when a keyword is added under 'Include events' as one of the conditions for just one of the components we're testing, it fails to set the component to down. When the keyword field is BLANK, where we then only have the Windows Log Source, and specific Event ID defined, it works. However, we want to specifically trigger on certain keywords under Group Name for example. The 2nd screen shot is an example of the windows log DETAIL which is where we want to pull from, for example, the output generated by the log variable Group Name:, on the output generated called 'FRA_SQLAdmins'. We've tried both including and excluding " ", with no results.

The event log details we want to pull keyword from: i.e. FRA_SQLAdmins under Group Name:

The windows event variable statement from the event ID.

Thanks for any help or feedback.

aLTeReGo

Have you tried using WMI instead of RPC? Another option if you know this event exists in the event log on one of your servers already is to use the Real-Time Event Log Viewer, select the event, and click "Start Monitoring". When walking through the wizard, the message text will be pre-populated for you already. Simply remove any unnecessary text that could make the message unique to that single occurrence (time stamps, GUID, etc).