SiteScope User's Guide
NT Event Log Monitor
The NT Event Log Monitor watches one of the Windows NT Event Logs (System, Application, or Security) for added entries. This monitor is only available on the Windows NT version of SiteScope.
The Run Alerts setting control how alerts are triggered by this monitor. If for each event matched is chosen, then the monitor triggers alerts for every matching entry found. In this way, the monitor acts much like an event forwarder. If once, after all events have been checked is chosen, then the monitor counts up the number of matches and triggers alerts based the Error If and Warning If thresholds defined for the monitor.
The NT Event Log Monitor examines only log entries made after the time that the monitor is created. Each time the monitor runs thereafter, it examines only those entries added since the last time it ran. You can choose to filter out messages that aren't important by using the fields listed under Advanced Options to specify values that must appear in the event entry for the entry to match.
When setting up SiteScope alerts for NT Event Log Monitors that are set to alert "for each event matched", it is most useful to select the NTEventLog template for the e-mail, pager, SNMP, or script alert. This alert template sends the alert with the event entry fields broken out. The type of SiteScope alert triggered depends on the type of the log event entry:
| Event Log Entry Type | SiteScope Alert Type |
|---|
| Error | Error |
| Warning | Warning |
| Information | OK |
Each time the NT Event Log Monitor runs, it returns a reading and a status message and writes them in the ~SiteScope/logs/SiteScope.log file.
Status
The status for the NT Event Log Monitor includes the number of entries examined, and the number of entries matched. If an interval is specified, the number of events in that interval is also displayed. Matched entries and interval entries can trigger alerts.
Completing the NT Event Log Monitor Form
To display the NT Event Log Monitor form, either click the Edit link for an existing NT Event Log Monitor in a monitor table, or click the Add a new Monitor to this group link on a group's detail page and choose the Add NT Event Log Monitor link.
Complete the items on the NT Event Log Monitor form as follows. When the required items are complete, click the Add Monitor button.
- Server
- Choose the server that you want to monitor. The default is to monitor an event log on this server. Click the choose server link to
monitor an event log on another NT server.
- Log Name
- Choose either the Application, System, or Security Event Log.
- Event Type
- Choose the event type(s) - Error, Warning, and/or Information - that you are looking for.
- Run Alert
- Choose the method for running alerts. If for each event matched is chosen, then the monitor triggers alerts for every matching entry found. If once, for all events is chosen, then the monitor counts up the number of matches and triggers alerts based the Error If and Warning If thresholds defined for the monitor.
- Update every
- Enter how frequently the Event Log should be checked. The drop-down list to the right of the text box lets you specify time increments of seconds, minutes, hours, or days. You must specify a time increment of at least 15 seconds.
- Title (Optional)
- Enter a name for this monitor. This name appears in the Name text box on the monitor table when you open the group's detail page. If you don't enter a name, a default name will be created.
Advanced Options
The advanced options give you the ability to customize error and warning thresholds. If you choose not to set them, SiteScope will use preset defaults if available. If a default is not available, SiteScope will not be able to utilize the condition.
- Disable
- Check this box to temporarily disable this monitor and any associated alerts. To enable the monitor again, clear the box.
- Source and ID Match (Optional)
- Enter the match string identifying the source of the event and the event ID in the form: Event Source:Event ID. For example, enter Print:20 to match event source named Print and event ID of 20. To match against all events from a specific source, enter just the event source name (for example: W3SVC). To match an exact event ID from an event source, specify both (for example: Service Control Mar:7000). You can also use a regular expression for more complex matches.
- Source and ID NOT Match (Optional)
- Enter the match string identifying the source of the event NOT TO MATCH in the form: Event Source:Event ID. For example, enter Print:20 will ignore all events of Print source and event ID 20. To ignore all events from for a particular source specify just the source name: W3SVC). To ignore an exact event ID from an event source, specify both (for example: Service Control Mar:7000). You can also use a regular expression for more complex not matches. For example, to ignore all Perflib sources from 200 to 299 the following would be used: /Perflib:2\d\d/. To ignore all events from the Perflib source the following would be used: Perflib:*.
- Description Match (Optional)
- Enter the text string to match against the description text for the event entry. The description text is the same as the description that is displayed when viewing the detail of an event log entry in the NT Event Viewer. Regular expressions may also be used in this box.
- Description Not Match (Optional)
- Negative match against the description text for the event entry - that is, the NT Event Log Monitor will trigger an alert only if the text entered in this box does not appear in the event entry's description text. The description text can be viewed in the detail view of the event log entry via the NT Event Viewer. Regular expressions may also be used in this box.
- Event Category (Optional)
- Match the category number of the event entry.
- Event Machine (Optional)
- Match against the machine that added the entry to the log file.
- Interval (Optional)
- Enter an time period, in minutes, for which matching event log entries will be totaled. This is useful when the case you are interested in is a quantity of events happening in a given time period. For example, if you wanted to detect a succession of service failures, 3 in the last 5 minutes, you would specify 5 minutes for the interval, and then change the Error If threshold to matches in interval >= 3.
- Update every (on error) (optional)
- Enter the amount of time that SiteScope should wait between checks
when the status of the monitor is anything but ok. If you don't enter a
value here, the Update value from above is used. This setting allows you to have
SiteScope check more or less frequently than usual when the monitored item
is not reporting an ok status.
- Schedule (Optional)
- By default, SiteScope's monitors are enabled every day of the week.
You may, however, schedule your monitors to run only on certain days or
on a fixed schedule. Choose the Edit schedule
link to create or edit a monitor schedule. For information about
creating schedules, read
these instructions.
- Monitor Description (Optional)
- Enter additional information about this monitor. The Monitor Description can include HTML tags such as the <BR> <HR>, and <B> tags to control display format and style.
The description will appear on the Monitor Detail page.
- Report Description (Optional)
- Enter a description for this monitor that will make it easier to
understand what this monitor does. The description will appear
on Management Reports and on the info pop-up for a monitor.
- Depends On (Optional)
- To make the running of this monitor dependent on the status of another monitor or monitor group, use the drop-down list to select the monitor or group on which this monitor is dependent. Select None to remove any dependency.
- Depends Condition (Optional)
- If you choose to make the running of this monitor dependent on the status of another monitor, choose the status condition that the other monitor or monitor group should have in order for the current monitor to run normally. The current monitor will be run normally as long as the monitor or group on which it depends reports the condition selected in this option.
- List Order (Optional)
- By default, new monitors are listed last on the Monitor
Detail page. You may use this drop-down list to choose
a different placement for this monitor.
- Error if
- By default, the monitor is in error if there are any matched events. If you are using an interval, you can also use matches in interval. If the Run Alerts is set to for each event matched, then each entry can trigger an alert, and the Error If setting is ignored.
- Warning if
- By default, the monitor never in warning. You can use match count
to put the monitor warning for a given number of matches. If
you are using an interval, you can also use matches in interval. If the
Run Alerts is set to for each event matched, then each entry can trigger an alert, and the Warning If setting is ignored.
- Good if
- Enter the value that should indicate a good reading for this monitor.
By default, SiteScope assumes that the monitor is in a good status if
the error and warning conditions are not met.
Copyright © 2003 Mercury Interactive Corporation.
All rights reserved.
