This article was updated to support v11.7.8 of Goliath Performance Monitor.
EventLog Watch rules monitor your Windows servers/workstations using our Goliath Intelligent Agent to monitor your EventLog logs in real-time and alert on specified conditions.
Configure the Monitoring
- To create a new monitoring condition, navigate to the Configure - Monitoring Rules page and click the New button
- A selection pane will appear, select the radio button option for EventLog Watch and then click OK
- Now the monitoring rule pane will appear. At the top of the pane name the Monitoring Rule via the Rule Name field, as well as define the description and the severity.
- If you would like to report on events or view events under the Views - Log Management page, but not actually alert on them then set the severity to be Normal so that it does not effect the heat-map displays
- The first tab, EventLogWatch is where you will define what condition is to be monitored.
-
In the Log field, define the Event Log name that you would like to monitor. This field is required. If you select the “…” after the “log” field you can define a custom EventLog to monitor.
-
A pop up will appear, enter the full name of the eventlog and then the full path the the evtx file
- see the eventlog properties for this information.
-
A pop up will appear, enter the full name of the eventlog and then the full path the the evtx file
- In the Event ID field, you can optionally specify an Event ID to monitor.
- In the Source field, you can optionally specify a log source to monitor.
- In the Type field, you can optionally specify a log type to monitor. If there are other optional parameters defined, then an empty or blank Event Log Type is ignored. If there are NOT any other optional parameters defined, then the "empty" Type is interpreted to mean "all" types, and every event for the given Event Log will cause an alert.
- In the User/Group field, you can optionally specify a username to monitor. You can specify more than one user or group my separating them with a comma. This field is not case sensitive. You can also enter an Active Directory Group Name so that any user that is a member of the Group would be considered a match. You can specify multiple Group Name parameters by separating with a comma. You can also mix User and Group names. Click the “…” button to the right of the field to access the Active Directory options.
- In the Description field, you can optionally specify a description substring to monitor. If separated by a comma, they are treated as a Boolean OR; if separated by a plus sign (+), they are treated as a Boolean AND. You CANNOT mix substrings with a comma and a plus.
- The AND Params check box will cause an Event Log alert if any of the parameter fields match (Boolean "Or" check) when the box is NOT checked. When checked, it requires all the defined parameter fields to match (Boolean "And" check).
- The Exclude checkbox, when checked, EXCLUDES any Event matching the criteria defined by the various parameter fields above, and no alert condition occurs.
- The All Except checkbox, when checked, All Events Except those matching the criteria defined by the various parameter fields above, cause an alert condition to occur.
- The Not RecvdIn __ Minutes checkbox, when checked, to generate an alert when any of the events matching the specified criteria do NOT occur within the minutes specified. Any of the events that match criteria will reset the timer.
- The Precedence field specifies how this rule is handled if the received Event Log event satisfies the criteria of multiple Monitoring Rules. A higher-precedence (1 is higher than 2, etc.) trumps Monitoring Rules with a lower precedence.
- In the Selections Tree, select the machines that you want to monitor with this rule
Configure the Schedule
In this tab you will define how often you would like the alerts to trigger.
Required Options (one of the below must be selected):
-
Alert Every Time Checkbox
- When this option is selected, you will receive the alert every time the specified condition is met.
-
Minimal Notification Interval
- When selected, it defines the minimal interval that must elapse between events for this alert before another alert will be generated. For example, if the interval is 15 minutes and the condition is being met, you will receive 1 alert every 15 minutes instead of being alerted at each occurrence. However, each alert occurrence is considered unique based on the details. For example, an Event Log alert is considered the same based on being the same Event Type and ID, from the same server/workstation.
Additional Options:
-
When Any Single Event Occurs ____ Times In _____ Seconds
- This field acts as an additional filter so that if an alert condition exists only after a specific event occurs the defined amount of times within the specified time frame.
- Each event that matches the criteria is treated discretely when counting. For example, if you have a rule that is monitoring for multiple events, an event with ID 500 is counted separately from ID 501, even though both match the rule.
- If the ‘Combine All’ checkbox is checked, then matching events are not treated discretely and are combined together when counting.
- The ‘Include Description’ checkbox when checked causes the Event Description to be included as part of the set of parameters that are checked for a match on the same event; if unchecked the Event Description is not included in the check.
- When the Log Only When Criteria Met checkbox is checked the Event is written to the database, otherwise the Event is filtered and not written to the data
-
Active Only if Server 'Owns".... This Cluster Group:
- This option is for monitoring machines that are apart of a cluster. If the checkbox is checked, then the rule is monitoring and will alert only if the server is a member of a cluster, 'owns' the specified Cluster Group and the specified Cluster Group is 'Online'.
Additional Configuration
For additional configuration options please see the following articles: