Monitor specific event ID using LEM

Hey sniffer,

There's a couple of approaches. One way is to determine the type of event - in this case a "service stop" - and build a rule for that. You could make your rule specific also to an Event ID or server (or group of servers, etc) beyond that, but this way if there were new Event IDs or service-specific logs that ALSO indicated a service stop, you'd see them. That rule would look like:

ServiceStop EXISTS

(just drag over the ServiceStop event type from your list of events)

To make it specific to a server, you could do:

ServiceStop.InsertionIP = <server name>

(drag over InsertionIP on the ServiceStop event type from your list of events)

Then add a "send e-mail" action to the list of actions.

This is also a better idea because generic rules can bog down your system by having to examine EVERY event type that comes through. It's still possible, but not the best long term solution.

If you don't know what type of event something is, you could build a filter for the event ID in monitor, which is a super easy thing to do and has not nearly as much impact. Something like:

Any Event.ProviderSID = *event ID*

Then triggering a sample event would make it show up in your filter. Seeing an example makes it way easier to build a rule.

If you've had it happen before, you could also use search to find that event ID in your history, and see what an example looks like, too.

Lastly, if you have a specific thing you want to look for and you have an example event, we can help point you in the right direction here, too, with more info.

Hey nicole,

Thanks for the info.

This is what I want to do. I need to monitor failed scheduled task in Microsoft-Windows-TaskScheduler/Operational log in 2 server .

For every error event found- 101, 311 and 202 and email alert will send.

I just accomplished this using SW log event forwarder and SW syslog but I want to try it using LEM.

I can't figure out where to start in rule creation.