Can APM alert on Event ID#s from the Application Event Log?
Gbutler, APM 3.0 turned the event log script into a self-contained component monitor named "Windows Event Log Monitor". If you're comfortable working with the script, that's fine. I just wanted to let you know about the Windows Event Log Monitor in case you weren't aware we had added one.
http://www.solarwinds.com/netperfmon/SolarWinds/OrionAPMPHComponentTypesWindowsEventLog.htm
Windows Event Log Monitor
This component monitor uses WMI communication to scan Windows Event Logs for recent events matching your defined criteria. Events are considered recent based on the age of the event as compared to the application polling frequency. If a matching event is found, the component monitor changes status.
The component monitor eventually returns to its original status as time passes so you may not notice a matching event unless you create an alert to email you when the component goes down.
I don't know if this is what you mean but there is a monitor script for windows event log that takes as arguments, event area, time frame, ID, string lookup.
We have it running every 5 minutes looking for events that will set of alerts.
Thanks - I found it and will try it out.
The selection named CUSTOM is kinda hidden and I probably would never have found it on my own.
FYI... the script broke for me due to day-light-savings... I had the monitor checking every five minutes for event IDs... it stopped working this year right at time change. I think I got the code fixed now (as much as I could figure out how MS handles time change).
Hello,
I checked out the link, but I'm still having a problem with this showing as Status Down when a certain error pops up. I added a server through SNMP and I stripped down the Windows Event Log Monitor to the following settings:
Polling: 60 seconds (I'm manually testing, so don't think it matters)Log Source: AnyEvent Type: ErrorNumber of Past Polling: 140
Everything else is blank. The error I'm looking for has happened within the last 3 events in the System Log (Event ID: 1007). I've tried using System, input the Event ID, Log Source, etc, but every time, the test shows up as 'Status Available'. I believe Number of Past Polling is either minutes or # of events, so 140 should be more than enough.
Is there something I'm doing wrong?
Number of Past Polling refers to the number of previous polling cycles. It is then multiplied by the length of your polling cycle (60 seconds, in this case) to determine how far back in the event log to search for a matching event. As you've currently defined it, APM will search all the event logs for the last 2 hours 20 minutes (or 140 minutes) for any error event.
When you say that you're manually testing, what exactly are you doing?
I just mean I'm hitting the 'Test' button to run the monitor.
Manually testing the alert will only test the trigger actions, not the trigger conditions.
So you've assigned this application monitor to a node that you know has an error event within the last 140 minutes and it's still not showing as red (down) in APM?
