Event Log Alerts - How can you display what was in the log

Hi Eskador,

You may want to try the following setup for the Event log Monitor:

Example of Event log Monitor:

Test Parameters section:

Filters section:
Event Area:  Security
Event Type:  Security Audit Success
Event ID:  560 
Event Source:  enable    * not used.
Logged by User:  enabled   * not used.
Exclusions by Event Text:  enabled    * not used.
 

Content Matching Event Text with Regular Expressions

Scenario #1: RegEx Pattern:  (.*)

Once the Event log Monitor is able to connect successfully to the remote server, the following configuration needs to be in place in order to get valuable information from the Alert, you would have to use a custom content generator with the Information Alert.  Here would be the steps to follow:

1. Create a custom Content Generator:
a. From the Configuration tab, click the "Alert list" link
b. Click the "Content Generators" button
c. Add a content Generator.
d. Provide a name:  Event content
e. In the value section enter:  %capture[1]%
f. Save the new content generator.
g. Go back to the Monitor and go to the "Test parameters" section.
h. In the list box for "Content Generator" select the newly created content generator "Event content"
i. Click "apply" and "ok".

2. Ensure the new Event log Monitor is a member of an Alert and that an Email action has been configured with "Information Alert" enabled:
a. Go to Alerts list
b. Open the Alert that is sending the email.
c. Ensure the Event log Monitor is a member of the Alert.
d. Open the Email action
e. Ensure the "Send Information Notifications" checkboxe located in the "Notification Content - Information Messages" section is checked.

From now on, every time a Security Audit Success entry is logged with ID 560 in the Security log file, the Event log Monitor will  detect it and an Email Alert with a body containing the description of the event should be sent.

I hope this helps.

Stephane

SolarWinds Support team.

The only tokens that I see for Windows event log are:

• %capture[category]
• %capture[computername]
• %capture[logfile]
• %capture[sourcename]
• %capture[timewritten]
• %capture[user]

Is there any way to retrieve Type and EventID?

One more question related to the above: is it possible to change monitor's content generator via mass edit?

Thanks!

Is it possible to display the content that was returned for a "ADO - QA (SQL Query)" in a e-mail? If so how, I don't see a content generator.

The only tokens that I see for Windows event log are: %capture[category] %capture[computername] %capture[logfile] %capture[sourcename] %capture[timewritten] %capture[user] Is there any way to retrieve Type and EventID?

Any chance to get a response from SolarWinds on this? It's been a while since April 21....
Thanks!

BTSpaul

As Stephane mentioned previously, you can also use %capture[1]% but if you've used it you know that it only displays the event's long description.

Seems strange that you can filter on Event Type and ID in the Event Log Monitor but you can't retrieve them in a Content Generator.

Solarwinds: Another one for the wishlist?

Rgds, Simon