8 Replies Latest reply on Jul 6, 2015 10:43 AM by macka001

    Custom Windows Event Log monitoring

    Jonathan Angliss

      Hi All,

       

      I'm sure I've missed something fundamentally obvious, but I can't seem to track it down either via documentation, Thwack searches, or just poking around in the UI.

       

      Our developers use custom event logs on our Windows servers, resulting in an application log for each service, or type of service.  These event logs are all handled by the Windows Event log service, and are stashed in the same place the Windows Event log stores its own logs.  The problem I'm having is trying to find out how to get LEM to return the logs for those custom lot files.

       

      I had assumed it was a connector I'd have to create, but under the Category of "Operating System" there are several Windows related logs which are created by default (System, Security, and Application).  If I try to create a new one, it will not let me change the log name, so I cannot get it to look at one of these custom logs.

       

      What am I missing? Or am I looking at this entirely wrong?

       

      Thanks

        • Re: Custom Windows Event Log monitoring
          Sohail Bhamani

          Hi,

           

          Unfortunately, creation of custom connectors/tools is not currently supported by LEM.  Being that this is a custom log, I am not sure SW support would be able to create a connector for us as they normally do.  If this was more of a standard type of event log entry, you could create a ticket for SW support to add support for this.  They would then add support if they can and then release a connector/tool update.  Seeing as this is a custom log, I am unsure of what they would do.  It wouldnt hurt to open a ticket though.

           

          Sohail Bhamani

          Loop1 Systems

          http://www.loop1systems.com

            • Re: Custom Windows Event Log monitoring
              Jonathan Angliss

              Unfortunately, creation of custom connectors/tools is not currently supported by LEM.  Being that this is a custom log, I am not sure SW support would be able to create a connector for us as they normally do.

               

              The only thing custom about it is the name, and the filename. It's still handled by the Windows Eventlog service.  You write to it using standard Windows APIs, you can read it using standard Windows APIs... Even PowerShell can get the contents of it using Get-EventLog and giving it the name of the event log.  So all intents and purposes, it is a Windows Event log.  It'd bother me seriously if you could not access a custom Eventlog, we're not the only people to use our own event logs (even Microsoft has an extensive collection of them in Windows Vista and higher).

                • Re: Custom Windows Event Log monitoring
                  Sohail Bhamani

                  You are definitely not the only one who needs this functionality.  The basis of LEM is being able to normalize logs into the LEM format for insertion into the Vertica database it uses internally.  As it stands currently, they only support a static list of log files.  This list is pretty huge, but they do not currently provide any way to normalize any custom logs.

                   

                  http://www.solarwinds.com/log-event-manager/log-data-sources.aspx

                   

                  I would definitely open a ticket on this and worst case, a feature request to support logs that are not on the list I linked.

                   

                  Sohail Bhamani
                  Loop1 Systems

                  http://www.loop1systems.com

                    • Re: Custom Windows Event Log monitoring
                      nicole pauls

                      It's really the parsing of the data that we're doing - you're right that the access to the logs is relatively trivial. What we do is look at the log messages and assign them to appropriate categories and fields. That's why a "connector" is required. We just don't yet have a way for customers to build their own integrations. I think there's even an Ideas post on that

                      • Re: Custom Windows Event Log monitoring
                        Jonathan Angliss

                        As it stands currently, they only support a static list of log files.

                         

                        Okay, so this is my rub on this... If we change the code to send to the Windows Event log Application Log, instead of the custom Event Log, LEM would be able to see the entries fine right?  It is not a custom log format, it is not a custom layout, it is an event log.  The only thing custom is the data portion, which would be custom if we dumped it into the standard Application log.  Or are you also suggesting that LEM couldn't monitor/normalize for custom entries in the Application log too?

                         

                        I appreciate your input, I'll open a support ticket, and see if they have a feature request open on a similar request, and put my name on the list too.

                          • Re: Custom Windows Event Log monitoring
                            Sohail Bhamani

                            Yes this should work.  If your event viewer entries are "standard" then it should have no trouble picking up and normalizing those "custom" events in the application event log.  You are lucky that you can switch the log files to populate in one of the standard event log locations.

                             

                            Sohail Bhamani

                            Loop1 Systems

                            http://www.loop1systems.com

                            • Re: Custom Windows Event Log monitoring
                              nicole pauls

                              Jonathan Angliss wrote:

                               

                              As it stands currently, they only support a static list of log files.

                               

                              Okay, so this is my rub on this... If we change the code to send to the Windows Event log Application Log, instead of the custom Event Log, LEM would be able to see the entries fine right?  It is not a custom log format, it is not a custom layout, it is an event log.  The only thing custom is the data portion, which would be custom if we dumped it into the standard Application log.  Or are you also suggesting that LEM couldn't monitor/normalize for custom entries in the Application log too?

                               

                              I appreciate your input, I'll open a support ticket, and see if they have a feature request open on a similar request, and put my name on the list too.

                               

                              Yes, they will come in, but they will be somewhat generic - which might be enough - and this is only true of 'Error' and 'Warning' events (unless you're reusing Event IDs for other types of events).

                      • Re: Custom Windows Event Log monitoring
                        macka001

                        Hi,

                         

                        I have the same issue, did anyone ever get this resolved?