This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Event Log Monitoring

OK... Here's the scenario. We want to monitor the security logs for all success and failure events on a Test Virtual Machine that is not joined to the domain.

So far, I have:

- Added the device with the discovered monitors

- Set up mirrored service accounts on the IPMonitor Server (Server 2003 and ipMonitor Version: 10.0 build 1371) and the Test-VM server (server 2008), and enabled remote administration on the Test-VM server.

- Added three new monitors:

    * "Security Event|Failure" Using the credentials of the mirrored service accounts on both servers. Filters: Event Area - Security, Even Type - Security Audit Failure. All other fields default

   * "Security Event|Success" Using the credentials of the mirrored service accounts on both servers. Filters: Event Area - Security, Even Type - Security Audit Success. All other fields default

   * "System Event|Error" Using the credentials of the mirrored service accounts on both servers. Filters: Event Area - System, Even Type - Error. All other fields default

- Added all monitors to Alerts (which have been pre-configured and work correctly for all other servers)

- Created new Content generator to display event log details:

  * EVENT: %capture[1]%
     EVENT ID: %capture[category]%
     SERVER: %capture[computername]%

- Configured the three monitors to use this new content generator with default RegEx patterns on all.

All three monitors appear to be working. I can press the "preview" button and see all the details of the logs being monitored, but no alerts are issued.

Looking at te event log on the Test-VM I can see that the mirrored service account is logging in successfully. However, the main service account that we use for checking devices within the domain is ALSO attempting to log in to the Test-VM server (unsure if this is related, but I would think that as the monitor has been set to use the mirrored service account for authentication that the other service account should NOT be used).

To make a long story short we need to be able to get the alerts going, and to stop the other service account from logging in to the Test-VM.

  • Hi Licensing,

    One thing to keep in mind is that the following 3 Monitors are not designed to fail.  They simply look for content and send you an Information Notification about it:

    • File Watching Monitor
    • Event Log Monitor
    • SNMP Trap Monitor

    In order to ensure that the Action notifies you if and when these Monitors match up on something, make sure the following check box is enabled within the Action in question:

    -Send Information Notifications

    If this does not help, try setting the Monitor to use "Default Content Generator" and see if you get a notification email stating "Found x of y"

    Let me know,

    Sincerely,

    Chris Foley - SolarWinds - Support Specialist
    Support:866.530.8040 |Direct:512.682.9385 |Fax:512.857.0125
    network management simplified  |  solarwinds.com

  • Hi Chris,

    I could not locat a checkbox marked "Send Information Notifications". Where would I find this?

    I tried the default content generator and indeed this does work. This would seem to imply that there is a problem with the Content Generator that I created. However, I use this same CG on a number of other servers without issue...

    Where to from here?

    Cheers,

    Grant

  • Grant,

    For future reference, to check the "Send Information Notifications" check box:

    1. Click the Configuration tab.
    2. Click "Alert List"
    3. Click the Alert in question.
    4. Click the Email Action in question.
    5. Scroll down to the bottom.  The last section should have the check box I have mentioned.

    The fact that the email gets sent when "Default Content Generator"  is used tells me that your Content Generator is putting something in the email that your mail filters don't like.  Having that said, try creating a new Content Generator and only use the following tokens

    -%capture[category]%
    -%capture[computername]%
    -%capture[logfile]%
    -%capture[sourcename]%
    -%capture[timewritten]%

    Then set the Event Log Monitor to use this new Content Generator and test it.  See if the email reaches its destination.

    A different way to test this would be to reassign your current Content Generator to the Event Log Monitor and add a Text Log Action to the same Alert as your Email Action.  Then test and see if the content ends up in the text file.

    Let me know the results of either or both.

    Thanks,

    Chris Foley - SolarWinds - Support Specialist
    Support:866.530.8040 |Direct:512.682.9385 |Fax:512.857.0125
    network management simplified  |  solarwinds.com

  • Hi Chris,

    I have created a content generator using the tokens you suggested. Emails successfully reached destination for all 3 monitors (Event logs, and both security logs)

    I then reassigned the original CG, and added the text log action to the alert, as instructed. Viewing this log file it can be seen that the content generator is outputting to the text log correctly.

    Additionally, after making the changes described above the Event Log email notifications began to work with the current content generator. email notifcations for security alerts, however, still do not work with the current CG.

  • I think we can narrow it down to the %capture[1]% token that is stopping these alerts from being emailed. For some reason this only applies to security log events.

    I had removed this token from the alert and emails came through as expected. Perhaps IPMonitor has some issues capturing event text from security logs?

  • Please note this problem has NOT been resolved. I believe this to be a bug in IP Monitor. I have lodged a support ticket and will post results for anyone experiencing a similar issue.

  • Hi Licensing--

    Thanks for the update on this and please do post the outcome for the benefit of the community.

    M

  • Recieved an email this morning from the SolarWinds tech support team:

    "

    Grant,
     
    This is an issue we have seen before.  Let me do some more testing, and I will get back to you.
     
    Regards,
    SolarWinds Support Team
     
    http://thwack.com"Share ideas, find solutions" in our User Support Forums

    SolarWinds Certified Professional – Network Management Certification

    "

  • *******SOLUTION FOUND********

    The problem was that th %capture[1]% token yeilds a LOT more text when applied to the Security Log than when it is applied to the Event Log.

    We had originally configured the subject of our email alerts to include the monitor name and the text of the event. This was fine for most of the email alerts but the amount of text generated in a security log event being put into the subject line of the email caused our outlook clients to drop the emails.

    after removing the event details from the email notification's subject line, alerts came in fine.