This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.

You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Windows Event log Monitor

max348 over 7 years ago

I want to monitor all the windows event logs and make it available if someone comes to me and ask for the event log on these particular day.

We have a situation here where a system admin deleted the windows event log from their servers and came to me asking if i can see those logs for that particular day on solarwinds. I was unable to show any logs from solarwinds. Can anyone help me how i can achieve this if any future requests come. I have SAM, NPM and other modules installed.

I also see a windows event log template in SAM. Can i use this to monitor and store every event and make it available any time??

Top Replies

mprobus over 7 years ago +2

SAM does not give you that capability. The event log monitor is SAM can scan the event logs looking for specific events, but it does not gather and store all of the logs. For this, I believe you need…

0 mprobus over 7 years ago

SAM does not give you that capability. The event log monitor is SAM can scan the event logs looking for specific events, but it does not gather and store all of the logs. For this, I believe you need something like LEM (Log Management Software | SolarWinds ) or Kiwi (How to Archive Windows Event Logs in a Syslog Server ). I have not personally used either because we have another tool that we use, but from what I understand it can give you the functionality that you are looking for.
Cancel
Vote Up +2 Vote Down

Cancel
0 max348 over 7 years ago in reply to mprobus

In SAM there is real time event monitor. Does it extract events that are currently in the server or does it show events that were deleted aswell??
Also how can i setup alerts for certain events like suspicious activity.
We had incident today where certain files were deleted from the SQL server and no one has idea who did it. How can i monitor these kind of activity and trigger alert for it??
Cancel
Vote Up 0 Vote Down

Cancel
0 mprobus over 7 years ago in reply to max348

SAM is 'real time' to the extent that you define the polling frequency. With the event log scans, you also have the ability to determine how far back the logs to look. For example, you can set the polling frequency at 5 mins and the look back at 1.5 polls, to allow it to look back 7.5 minutes every poll.
To alert when items are deleted, you will need to turn up Windows auditing to audit for Object Access. You can then key on the appropriate ID (I think 560).
Cancel
Vote Up 0 Vote Down

Cancel
0 mbird over 7 years ago

You can use the log forwarder to forward specific event IDs and generate alerts off of that. I only really use it for SQL jobs, but you could target just about anything you'd like.
FREE Event Log Forwarder for Windows | SolarWinds
Set up Log Forwarder for the first time - SolarWinds Worldwide, LLC. Help and Support
Cancel
Vote Up 0 Vote Down

Cancel