cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Highlighted
Level 7

Event Log Alerts - How can you display what was in the log

Currently where something is found in the event log it emails us with the "new information" e-mail template. I tried adding %capture[1]% to get the data from the monitors content generator but that didnt work.


Instead of getting a email with the body of "Found: 1-2 of 2" I'd like to be able to display the actual text in the log.


 Any ideas?


0 Kudos
6 Replies
Highlighted
Level 10

Re: Event Log Alerts - How can you display what was in the log

Hi Eskador,


You may want to try the following setup for the Event log Monitor:


Example of Event log Monitor:



Test Parameters section:


Filters section:
Event Area:  Security
Event Type:  Security Audit Success
Event ID:  560 
Event Source:  enable    * not used.
Logged by User:  enabled   * not used.
Exclusions by Event Text:  enabled    * not used.
 


Content Matching Event Text with Regular Expressions


Scenario #1: RegEx Pattern:  (.*)



Once the Event log Monitor is able to connect successfully to the remote server, the following configuration needs to be in place in order to get valuable information from the Alert, you would have to use a custom content generator with the Information Alert.  Here would be the steps to follow:


1. Create a custom Content Generator:
a. From the Configuration tab, click the "Alert list" link
b. Click the "Content Generators" button
c. Add a content Generator.
d. Provide a name:  Event content
e. In the value section enter:  %capture[1]%
f. Save the new content generator.
g. Go back to the Monitor and go to the "Test parameters" section.
h. In the list box for "Content Generator" select the newly created content generator "Event content"
i. Click "apply" and "ok".


2. Ensure the new Event log Monitor is a member of an Alert and that an Email action has been configured with "Information Alert" enabled:
a. Go to Alerts list
b. Open the Alert that is sending the email.
c. Ensure the Event log Monitor is a member of the Alert.
d. Open the Email action
e. Ensure the "Send Information Notifications" checkboxe located in the "Notification Content - Information Messages" section is checked.


From now on, every time a Security Audit Success entry is logged with ID 560 in the Security log file, the Event log Monitor will  detect it and an Email Alert with a body containing the description of the event should be sent.


I hope this helps.


Stephane


SolarWinds Support team.

0 Kudos
Highlighted
Level 7

Re: Event Log Alerts - How can you display what was in the log

The only tokens that I see for Windows event log are:

  • %capture[category]
  • %capture[computername]
  • %capture[logfile]
  • %capture[sourcename]
  • %capture[timewritten]
  • %capture[user]

Is there any way to retrieve Type and EventID?

0 Kudos
Highlighted
Level 7

Re: Event Log Alerts - How can you display what was in the log

One more question related to the above: is it possible to change monitor's content generator via mass edit?


Thanks!

0 Kudos
Highlighted
Level 7

Re: Event Log Alerts - How can you display what was in the log

Is it possible to display the content that was returned for a "ADO - QA (SQL Query)" in a e-mail? If so how, I don't see a content generator.

0 Kudos
Highlighted
Level 7

Re: Event Log Alerts - How can you display what was in the log

The only tokens that I see for Windows event log are:

  • %capture[category]
  • %capture[computername]
  • %capture[logfile]
  • %capture[sourcename]
  • %capture[timewritten]
  • %capture[user]

Is there any way to retrieve Type and EventID?



Any chance to get a response from SolarWinds on this? It's been a while since April 21....
Thanks!

0 Kudos
Highlighted
Level 11

Re: Event Log Alerts - How can you display what was in the log

BTSpaul


As Stephane mentioned previously, you can also use %capture[1]% but if you've used it you know that it only displays the event's long description.


Seems strange that you can filter on Event Type and ID in the Event Log Monitor but you can't retrieve them in a Content Generator.


Solarwinds: Another one for the wishlist?


Rgds, Simon

0 Kudos