This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

SEM and Windows Application Event Logs

We have the Windows Application Log connector enabled on our machines. I am trying to figure out why I am not seeing those logs in SEM. One log in general that hits the Application Event Log is for the DUO Windows Client (Successful Duo Local login for '{username}'). We are trying to grab a report for this specifically to try to audit these DUO events.

However does SEM handle Application Event Logs and is it even possible to have LEM store these events?

Thanks!

  • Hi there, 

    SEM can natively pull through Windows Application logs with no problems, if you make a filter like this you can see all of the logs that are being pulled through from any device:

    If you go to Nodes > Select an Agent node > Manage Connectors, you should see something like the following:

    If that is green it means it's running and it should be pulling in application log events through. If for whatever reason all this is matching but still no events are coming through, it could be that the Agent on the Windows Server is having problems and I'd recommend removing it and re-installing to see if that fixes it: 

    https://support.solarwinds.com/SuccessCenter/s/article/Uninstall-and-reinstall-LEM-agents-on-Windows-machines?language=en_US

    Kind regards, 

    Kind regards,

    Marlie Fancourt | SolarWinds Pre-Sales Manager

    Prosperon Networks | SolarWinds Partner since 2006

    If this helps answer your question please mark my answer as confirmed to help other users, thank you!

  • Check under this file

    Windows Application Log Example

    C:\Windows\SysWOW64\ContegoSPOP\tools\ntapplication.xml

    This show all the events that are recognized but the version of your connector

    This will require I little understand of XML but you could use the find command and use the event ID

    Current I do not see this Event ID being logged so you would have to request connector Update to add this in the next connector update,

  • For the Connector of Windows Application does not parse everything you need to determine if that event is register in the XML file of the connector

    This is located in C:\Windows\SysWOW64\ContegoSPOP\tools for all connector xml files

    windows application is listed as 

    ntapplication.xml

    search for the event ID will tell you if it gets parsed.

    I checked my own and did not see the event ID you posted listed that this would have to be request as a connector update to add this to the parse file.

    If you want to try regex yourself you can but realized this can and will be over written in the next connector update.

    If the log appear in the event viewer under windows application log then it should be easy enough for update to the connector there are pretty good as adding connector parse I have done several in the past with no issues.