Documentation forServer & Application Monitor

Windows Event Log Monitors

As described in Work with component monitors, SAM includes several "component monitor types" that use various methods to focus on elements such as services, logs, or processes. Windows Event Log Monitors are component monitors that scan Windows Event Logs for recent events that match your defined criteria. Events are considered "recent" based on the age of the event, as compared to the application polling frequency. If a matching event is found, the component monitor changes status.

One example of a Windows Event Log Monitor is the Events: Failed Replication component monitor in the Active Directory 2016 Services and Counters template that tracks how many times replication failed on a target node. For another example, see this Success Center article: Create Windows Event Logs to monitor Failover events.

Note the following details that apply to most component monitors categorized as Windows Event Log Monitors:

  • A Windows Event Log Monitor eventually returns to its original status as time passes so you may not notice a matching event unless you create an alert to notify you by email when the component goes down.
  • When polling via DCOM/RPC, this component monitor uses the following ports: TCP/135; RPC/named pipes (NP) TCP 139, RPC/NP TCP 445, RPC/NP UDP 137, and RPC/NP UDP 138.

If you create a custom Windows Event Log Monitor in the Component Monitor Wizard, you'll be prompted to provide several values, as described next.

Field descriptions

Statistic

The number of recent events that match your defined criteria.

Description

A default description of the monitor, which you can add to or replace. The variable to access this field is ${UserDescription}.

Enable Component

Determines if the component is enabled. Disabling the component leaves it in the application in a deactivated state that doesn't influence either SolarWinds SAM application availability or status.

Credential for Monitoring

Select a Windows credential that has access to the Windows event logs on the target node. This is typically a Windows administrator-level credential. Click a credential in the list, or use the <Inherit credential from node> option. If the credential you need is not in the credentials list, add it in the Credentials Library. See Understand the Credentials Library for details.

Fetching Method

Configure the method used to gather data:

WinRM Authentication Mechanism

If the SAM WinRM toggle is enabled for application polling on the Orion server and target nodes, select an authentication method for the connection. The default setting is Negotiate.

  • Default: Specifies the transport to use for WS-Management protocol requests and responses: HTTP or HTTPS. The default is HTTP.
  • Digest: User name and password are required. The client sends a request with authentication data to an authenticating server, usually a domain controller. If the client is authenticated, then the server receives a Digest session key to authenticate subsequent requests from the client.
  • Negotiate: The client sends a request to the server to determine the protocol to use for Simple and Protected Negotiation (SPNEGO) authentication, which can be either:
    • Kerberos for domain accounts, or
    • NTLM for local computer accounts
  • Basic: User name and password are required, as sent via HTTP or HTTPS in a domain or workgroup.
  • Kerberos: User name and password are required for mutual authentication between the client and server, using encrypted keys. The client account must be a domain account in the same domain as the server. When a client uses default credentials, Kerberos is the authentication method if the connection string is not one of the following: localhost, 127.0.0.1, or [::1].
  • NtlmDomain: User name and password are required for NTLM authentication. The client proves its identity by sending a user name, password, and domain name.
  • CredSssp: User name and password are optional. The Credential Security Support Provider (CredSSP) lets an application delegate the user credentials from the client to the target server for remote authentication. The client is authenticated over the encrypted channel by using the SPNEGO protocol with either Kerberos or NTLM.

    Portions excerpted from the WinRM Glossary (© 2020, Microsoft Corp., available at docs.microsoft.com, obtained on March 13, 2020).

Log to Monitor

Select Any Log to match events found in any log or select a specific log to restrict your search. If the log you want is not listed, select Custom.

Custom Log to Monitor

Enter the log names as they appear in the Windows event log viewer. Separate multiple log names with commas. Example: Internet Explorer, SolarWinds.net.

Match Definition

Select Any error in log generates a match if that is sufficient for your needs, or select Custom to further restrict the match criteria.

Log Source

Enter a log source to further restrict the match criteria or leave the field blank to match all possible log sources.

Event ID

Select the desired option to further restrict the match criteria for event IDs or leave the field blank to find all possible event IDs:

  • Find all IDs – match all event IDs
  • Match only specific IDs – match all event IDs listed (separate multiple IDs with commas)

    When you use multiple event IDs separated by commas, the logic used to combine these event IDs is “OR,” so all events that contain one of the event IDs listed are matched.

  • Exclude specific IDs – exclude all event IDs listed (separate multiple IDs with commas)

Event Type

Select Any Event to match any event type in the log, or select a specific event type to further restrict the match criteria.

User who generated Events

Enter a user name to further restrict the match criteria. Leave this field blank to match any users. Enter "N/A" to select only events with no specific user.

Include events

Select With Keywords Below to specify keywords or phrases as the match criteria. Select Matching Regular Expression Below to specify regular expressions that match text that appears in the events.

This string field is case sensitive. To learn about regular expressions syntax, see .NET Regular Expressions (© 2019 Microsoft, Corp., available at http://docs.microsoft.com, obtained on March 29, 2019)

Exclude events

Select With Keywords Below to specify keywords or phrases as the match criteria. Select Matching Regular Expression Below to specify regular expressions that match text that appears in the events.

This string field is case sensitive. To learn more about regular expressions syntax, see .NET Regular Expressions.

Number of past polling intervals to search for events

Enter the number of polling intervals worth of time you want to search the event logs. For example, to always search the past 20 minutes of event logs, you could set the application polling interval to five minutes and then set the Number of Past Polling Intervals to four (4 x 5mins = 20mins). Fractional values are valid.

Collect Detailed Data of Matched Events

Message and other details of matched events will be available for viewing and alerting when enabled.

If a match is found in a polling period, component is

Select whether a found match should set the component status to Up or Down. You can also take action using the Based on Event Types, or Based on Event Count options.

  • Based on Event Types - With this option, the result status of the component monitor will never be down for a successful poll:
    • Critical - When there is at least one event with a severity of Error or FailureAudit.
    • Warning - When there is at least one event with a severity of Warning.
    • Up - When all matched events are either Informational or SuccessAudit.
  • Based on Event Count - With this option, the status of the component monitor will never be down for a successful poll and the thresholds for the returned value will be applied against the number of matched events.

Convert Value

Checking the Convert Value check box opens the Formula box. From here, you can manipulate the returned value with a variety of mathematical possibilities. You can choose common functions from the drop down lists to manipulate the returned value, or you can select the Custom Conversion option. For more information, see Convert values in data transformations for SAM component monitors.

Statistic Threshold

Specify when a threshold that indicates a warning or critical level was breached. Logical operators are in the drop down list, followed by a blank field where you can enter a value. For example: Less than 15 for warning, Less than 5 for critical. See Application Monitor Thresholds for details.

User Notes

Add notes for easy reference. You can access this field by using the variable, ${UserNotes}.