Windows Event Log Monitors
As described in Work with component monitors, SAM includes several "component monitor types" that use various methods to focus on elements such as services, logs, or processes.
Windows Event Log Monitors are component monitors that scan Windows Event Logs for recent events that match your defined criteria. Events are considered "recent" based on the age of the event, as compared to the application polling frequency. If a matching event is found, the component monitor changes status.
One example of a Windows Event Log Monitor is the Events: Failed Replication component monitor in the Active Directory 2016 Services and Counters template that tracks how many times replication failed on a target node. For another example, see this Success Center article: Create Windows Event Logs to monitor Failover events.
Note the following details that apply to most Windows Event Log Monitors:
- A Windows Event Log Monitor eventually returns to its original status as time passes so you may not notice a matching event unless you create an alert to notify you when a component is Down.
- Starting in SAM 2020.2, WinRM is used to poll WMI-based component monitors.
- When polling via DCOM/RPC, this component monitor uses the following ports:
- TCP 135,
- RPC/named pipes (NP) TCP 139,
- RPC/NP TCP 445,
- RPC/NP UDP 137, and
- RPC/NP UDP 138.
If you create a custom Windows Event Log Monitor in the Component Monitor Wizard, you'll be prompted to provide several values, as described next.
For tips about using wildcards, see this THWACK post.
The number of recent events that match your defined criteria.
A default description of the monitor, which you can add to or replace. The variable to access this field is
Determines if the component is enabled. Disabling the component leaves it in the application in a deactivated state that doesn't influence either SolarWinds SAM application availability or status.
Credential for Monitoring
Select a Windows credential with access to Windows Event logs on the target node, which is typically an administrator-level credential. Click a credential in the list, or use the <Inherit credential from node> option. If the credential you need is not in the credentials list, add it in the SAM Credentials Library.
Configure the method used to gather data:
- WMI (WinRM/DCOM): Use WinRM, with DCOM as a fallback method. See Use WinRM for application monitor polling in SAM.
- RPC (Remote Procedure Call): Use RPC communication.
WinRM Authentication Mechanism
If the SAM WinRM toggle is enabled for application polling on the SolarWinds Platform server and target nodes, select an authentication method for the connection. The default setting is Negotiate.
- Default: Specifies the transport to use for WS-Management protocol requests and responses: HTTP or HTTPS. The default is HTTP.
- Digest: User name and password are required. The client sends a request with authentication data to an authenticating server, usually a domain controller. If the client is authenticated, then the server receives a Digest session key to authenticate subsequent requests from the client.
- Negotiate: The client sends a request to the server to determine the protocol to use for Simple and Protected Negotiation (SPNEGO) authentication, which can be either:
- Kerberos for domain accounts, or
- NTLM for local computer accounts
- Basic: User name and password are required, as sent via HTTP or HTTPS in a domain or workgroup.
- Kerberos: User name and password are required for mutual authentication between the client and server, using encrypted keys. The client account must be a domain account in the same domain as the server. When a client uses default credentials, Kerberos is the authentication method if the connection string is not one of the following: localhost, 127.0.0.1, or [::1].
- NtlmDomain: User name and password are required for NTLM authentication. The client proves its identity by sending a user name, password, and domain name.
- CredSssp: User name and password are optional. The Credential Security Support Provider (CredSSP) lets an application delegate the user credentials from the client to the target server for remote authentication. The client is authenticated over the encrypted channel by using the SPNEGO protocol with either Kerberos or NTLM.
Log to Monitor
Select Any Log to match events found in any log or select a specific log to restrict your search. If the log you want is not listed, select Custom.
Custom Log to Monitor
Enter the log names as they appear in the Windows Event Viewer. Separate multiple log names with commas. Example:
Internet Explorer, SolarWinds.net
Select "Any error in log generates a match" if that is sufficient for your needs, or select Custom to further restrict the match criteria.
Enter a log source to further restrict the match criteria. Leave the field blank to match all possible log sources.
Select the desired option to further restrict the match criteria for event IDs or leave the field blank to find all possible event IDs:
- Find all IDs – match all event IDs
- Match only specific IDs – match all event IDs listed (separate multiple IDs with commas)
When you use multiple event IDs separated by commas, the logic used to combine these event IDs is “OR,” so all events that contain one of the event IDs listed are matched.
- Exclude specific IDs – exclude all event IDs listed (separate multiple IDs with commas)
Select Any Event to match any event type in the log, or select a specific event type to further restrict the match criteria.
User who generated Events
Enter a user name to further restrict the match criteria. Leave this field blank to match any users. Enter "N/A" to select only events with no specific user.
Select With Keywords Below to specify keywords or phrases as the match criteria. Select Matching Regular Expression Below to specify regular expressions that match text that appears in the events.
Select the "With Keywords Below" option to specify keywords or phrases as the match criteria. Select "Matching Regular Expression Below" to specify regular expressions that match text that appears in the events.
This string field is case sensitive.
Number of past polling intervals to search for events
Enter the number of polling intervals worth of time you want to search the event logs. For example, to always search the past 20 minutes of event logs, set the application polling interval to five minutes and then set the Number of Past Polling Intervals to four (4 x 5mins = 20mins). Fractional values are supported.
Collect Detailed Data of Matched Events
Message and other details of matched events will be available for viewing and alerting when enabled.
If a match is found in a polling period, component is
Select whether a found match should set the component status to Up or Down. You can also take action using the Based on Event Types, or Based on Event Count options.
- Based on Event Types: The status of the component monitor is never Down for a successful poll:
- Critical - When there is at least one event with a severity of Error or FailureAudit.
- Warning - When there is at least one event with a severity of Warning.
- Up - When all matched events are either Informational or SuccessAudit.
- Based on Event Count:The status of the component monitor is never Down for a successful poll and thresholds for the returned value will be applied against the number of matched events.
Select the "Yes, convert returned value" option to display fields where you can select a common function or enter a custom formula. The Custom Conversion option provides basic arithmetic operators (+, -, *, /), plus built-in mathematical functions for more advanced conversions. See Convert values in data transformations for SAM component monitors.
Specify a threshold that indicates a warning or critical level was breached. Use logical operators in the drop-down list, followed by a blank field where you enter a value. For example:
Less than 15 for warning,
Less than 5 for critical. See also Application Monitor Thresholds.
Add notes for easy reference. You can access this field by using the variable,