6 Replies Latest reply on Jun 26, 2008 4:47 PM by simonpt

    Event Log Alerts - How can you display what was in the log

      Currently where something is found in the event log it emails us with the "new information" e-mail template. I tried adding %capture[1]% to get the data from the monitors content generator but that didnt work.

      Instead of getting a email with the body of "Found: 1-2 of 2" I'd like to be able to display the actual text in the log.

       Any ideas?

        • Re: Event Log Alerts - How can you display what was in the log

          Hi Eskador,

          You may want to try the following setup for the Event log Monitor:

          Example of Event log Monitor:

          Test Parameters section:

          Filters section:
          Event Area:  Security
          Event Type:  Security Audit Success
          Event ID:  560 
          Event Source:  enable    * not used.
          Logged by User:  enabled   * not used.
          Exclusions by Event Text:  enabled    * not used.

          Content Matching Event Text with Regular Expressions

          Scenario #1: RegEx Pattern:  (.*)

          Once the Event log Monitor is able to connect successfully to the remote server, the following configuration needs to be in place in order to get valuable information from the Alert, you would have to use a custom content generator with the Information Alert.  Here would be the steps to follow:

          1. Create a custom Content Generator:
          a. From the Configuration tab, click the "Alert list" link
          b. Click the "Content Generators" button
          c. Add a content Generator.
          d. Provide a name:  Event content
          e. In the value section enter:  %capture[1]%
          f. Save the new content generator.
          g. Go back to the Monitor and go to the "Test parameters" section.
          h. In the list box for "Content Generator" select the newly created content generator "Event content"
          i. Click "apply" and "ok".

          2. Ensure the new Event log Monitor is a member of an Alert and that an Email action has been configured with "Information Alert" enabled:
          a. Go to Alerts list
          b. Open the Alert that is sending the email.
          c. Ensure the Event log Monitor is a member of the Alert.
          d. Open the Email action
          e. Ensure the "Send Information Notifications" checkboxe located in the "Notification Content - Information Messages" section is checked.

          From now on, every time a Security Audit Success entry is logged with ID 560 in the Security log file, the Event log Monitor will  detect it and an Email Alert with a body containing the description of the event should be sent.

          I hope this helps.


          SolarWinds Support team.