9 Replies Latest reply on Jan 14, 2010 4:46 PM by licensing@nlc.com.au

    Event Log Monitoring

      OK... Here's the scenario. We want to monitor the security logs for all success and failure events on a Test Virtual Machine that is not joined to the domain.

      So far, I have:

      - Added the device with the discovered monitors

      - Set up mirrored service accounts on the IPMonitor Server (Server 2003 and ipMonitor Version: 10.0 build 1371) and the Test-VM server (server 2008), and enabled remote administration on the Test-VM server.

      - Added three new monitors:

          * "Security Event|Failure" Using the credentials of the mirrored service accounts on both servers. Filters: Event Area - Security, Even Type - Security Audit Failure. All other fields default

         * "Security Event|Success" Using the credentials of the mirrored service accounts on both servers. Filters: Event Area - Security, Even Type - Security Audit Success. All other fields default

         * "System Event|Error" Using the credentials of the mirrored service accounts on both servers. Filters: Event Area - System, Even Type - Error. All other fields default

      - Added all monitors to Alerts (which have been pre-configured and work correctly for all other servers)

      - Created new Content generator to display event log details:

        * EVENT: %capture[1]%
           EVENT ID: %capture[category]%
           SERVER: %capture[computername]%

      - Configured the three monitors to use this new content generator with default RegEx patterns on all.

      All three monitors appear to be working. I can press the "preview" button and see all the details of the logs being monitored, but no alerts are issued.

      Looking at te event log on the Test-VM I can see that the mirrored service account is logging in successfully. However, the main service account that we use for checking devices within the domain is ALSO attempting to log in to the Test-VM server (unsure if this is related, but I would think that as the monitor has been set to use the mirrored service account for authentication that the other service account should NOT be used).

      To make a long story short we need to be able to get the alerts going, and to stop the other service account from logging in to the Test-VM.

        • Re: Event Log Monitoring
          Fodome

          Hi Licensing,

          One thing to keep in mind is that the following 3 Monitors are not designed to fail.  They simply look for content and send you an Information Notification about it:

          • File Watching Monitor
          • Event Log Monitor
          • SNMP Trap Monitor

          In order to ensure that the Action notifies you if and when these Monitors match up on something, make sure the following check box is enabled within the Action in question:

          -Send Information Notifications

          If this does not help, try setting the Monitor to use "Default Content Generator" and see if you get a notification email stating "Found x of y"

          Let me know,

          Sincerely,

          Chris Foley - SolarWinds - Support Specialist
          Support:866.530.8040 |Direct:512.682.9385 |Fax:512.857.0125
          network management simplified  |  solarwinds.com

            • Re: Event Log Monitoring

              Hi Chris,

              I could not locat a checkbox marked "Send Information Notifications". Where would I find this?

              I tried the default content generator and indeed this does work. This would seem to imply that there is a problem with the Content Generator that I created. However, I use this same CG on a number of other servers without issue...

              Where to from here?

              Cheers,

              Grant

                • Re: Event Log Monitoring
                  Fodome

                  Grant,

                  For future reference, to check the "Send Information Notifications" check box:

                  1. Click the Configuration tab.
                  2. Click "Alert List"
                  3. Click the Alert in question.
                  4. Click the Email Action in question.
                  5. Scroll down to the bottom.  The last section should have the check box I have mentioned.

                  The fact that the email gets sent when "Default Content Generator"  is used tells me that your Content Generator is putting something in the email that your mail filters don't like.  Having that said, try creating a new Content Generator and only use the following tokens

                  -%capture[category]%
                  -%capture[computername]%
                  -%capture[logfile]%
                  -%capture[sourcename]%
                  -%capture[timewritten]%

                  Then set the Event Log Monitor to use this new Content Generator and test it.  See if the email reaches its destination.

                  A different way to test this would be to reassign your current Content Generator to the Event Log Monitor and add a Text Log Action to the same Alert as your Email Action.  Then test and see if the content ends up in the text file.

                  Let me know the results of either or both.

                  Thanks,

                  Chris Foley - SolarWinds - Support Specialist
                  Support:866.530.8040 |Direct:512.682.9385 |Fax:512.857.0125
                  network management simplified  |  solarwinds.com

                    • Re: Event Log Monitoring

                      Hi Chris,

                      I have created a content generator using the tokens you suggested. Emails successfully reached destination for all 3 monitors (Event logs, and both security logs)

                      I then reassigned the original CG, and added the text log action to the alert, as instructed. Viewing this log file it can be seen that the content generator is outputting to the text log correctly.

                      Additionally, after making the changes described above the Event Log email notifications began to work with the current content generator. email notifcations for security alerts, however, still do not work with the current CG.