This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

How to Alert Based on Text in Windows Event Log

What would be the best way to use Solar Winds to alert when a certain keyword shows up in Windows Event Log?

Send Event Logs to Syslog somehow and alert on the Syslog message?  Is there a way to monitor Event Log

directly via WMI?  Other suggestion?  Thanks.

  • There is a windows event log monitor template you can use.  I found it some time back in the APM monitor share archives.  It's a vbscript monitor.

    It counts the number of events matching the spec's you give it... which can be ID number, a string of text, and number of minutes to look back.

  • Great - I will test this Template.  Thank-you.

  • Sending the Event Logs to the Orion syslog facility and setting up an alert to look for the key words using regular expression is working out well for us.  SolarWinds makes an Event Log forwarder and there are others out there as well.

    Also, as a bonus; having all of your Event Logs in a central repository can be nice for searching.

  • I like byrons method and a bonus... it doesn't require APM :}

  • What's the event log forwarder to syslog called?  

  • The one produced by SolarWinds is called Log Forwarder for Windows.  If you log into your SolarWinds customer portal and select Additional Components on the left menu you should be able to find it.

    There is also a different open source product  called NTsyslog and you can find it at the link below.

    http://ntsyslog.sourceforge.net/

  • Also, I thought I would point out a nifty element that SolarWinds has available for your interface.  It summarizes all of the logs that your system has received and can be very useful for quickly identifying nodes that are generating large quantities of logs.

  • I also put another constantly maintained one in the content exchange:

    Eventlog to Syslog v4.1
    Release 4.1
    Last revised January 20, 2010

     

    This program is written in C and provides a method of sending Windows Eventlog events to a syslog server. It works with the new Windows Events service found in Vista and Server 2008 and can be compiled for both 32 and 64-bit environments. Both compiled binaries are here for download.  Designed to keep up with very busy servers, it is fast, light, and efficient. The program is designed to run as a windows service.

    Changes in v4.0:
    § Added ability to ignore specific events
    § Added a status file for monitoring service operation
    § Added event’s timestamp to outgoing messages
    § Added compatibility with the Vista/Server 2008 Windows Events service
    § Added ability to send to two Syslog servers simultaneously
    § Fixed a possible memory exception with bad message definitions
    § Fixed a bug where utility would not search all message files
  • byron is right about the syslog summary resources available... mine is a little different and looks like this... I use it on a summary page I created with other summary type resources:

    You can click on any of the parts of the resource.