vCenter

 View Only
Expand all | Collapse all

Monitor Window Event Logs

  • 1.  Monitor Window Event Logs

    Posted Nov 26, 2006 02:39 AM
    I know the expertise version can monitor the Windows Event Logs. I enabled the Log Tracking under platform->Inventory tab ->Configuration Properties then configured an Alert. I thought the alert was for any event. I see more events then alerts. Q: Where can I get some docs on how to set it up? The Hyperic HQ 2.7 Documentation -> Log Tracking is just a Placeholder. :(
    -Eric


  • 2.  RE: Monitor Window Event Logs

    Posted Nov 27, 2006 08:54 PM
    A couple of questions to clarify your issue:

    1. When you say you are not seeing alerts for all the events you are seeing, are you seeing these events within HQ, or just in your Event Viewer?

    2. In the configuration properties, what have you set platform.log_track.level to? And in the defined alert, what have you set the Events/Logs Level to?

    Thanks.


  • 3.  RE: Monitor Window Event Logs

    Posted Nov 27, 2006 10:35 PM
    At 12:53 PM 11/27/2006 -0800, Chip Witt wrote:
    >1. When you say you are not seeing alerts for all the events you
    >are seeing, are you seeing these events within HQ, or just in your
    >Event Viewer?

    In HQ I only see a few events. In the Event Viewer I see a
    bunch of event that I don't see in HQ. If I use the resource kit
    tool logevent.exe to insert event into the Application log I don't
    see them in HQ.


    >2. In the configuration properties, what have you set
    >platform.log_track.level to?

    It's set to Error. As I understand it this will give me event
    that are Error, Warning, Info and Debug. Right?


    > And in the defined alert, what have you set the Events/Logs Level to?

    It's set to Error.
    -Eric



    Eric Case, CISSP <ecase@Email.Arizona.EDU>
    Support Systems Analyst, Principal
    Department of Chemical & Environmental
    Engineering <http://www.CHEE.Arizona.EDU>
    1133 E James E. Rogers Way (Room 108)
    Tucson, AZ 85721-0011
    Mobile Phone 520-275-6436




  • 4.  RE: Monitor Window Event Logs

    Posted Nov 28, 2006 12:36 AM
    OK. Out-of-the-box, event log tracking only monitors system events at the platform level, assuming one would monitor specific applications at the server or service level. This behavior can be modified with a custom plug-in, and there are people that will gladly help you find an adequate solution if you can provide details about what applications you are trying to monitor on the platform.

    On the platform.log_track.level setting, your configuration is exactly opposite of expected behavior. Whatever the setting, you get that level and everything above (as listed in HQ). I am used to seeing log levels listed with Debug at the top, so immediately realized how this could confuse. Setting it for Info gets you Info, Warn, and Error. Setting for Error just gets you the Error messages. Debug will get you everything.


  • 5.  RE: Monitor Window Event Logs

    Posted Nov 28, 2006 09:26 AM
    > OK. Out-of-the-box, event log tracking only monitors
    > system events at the platform level,

    Hmm. I guess I can use the "Windows Service" Service Type to monitor some things like the File Replication Service, but how do I monitor for security events? I'd like to set an alert for failed security audits and other events that are out of the norm.


    > On the platform.log_track.level setting, your
    > configuration is exactly opposite of expected
    > behavior.

    Ok, changing the setting to debug produces more alerts and they mostly match up with what I see in the system event log. I'm getting an alert that I can't find in the Event Viewer, "system: login: INET3$ network share (192.168.1.3)"
    -Eric


  • 6.  RE: Monitor Window Event Logs

    Posted Nov 28, 2006 06:21 PM
    If you can provide the event Source, Category, Type, and Event_ID information for things you would want pulled into HQ from the Security Events Log, we can look into what is required to modify the existing plugin to suit your needs. I have it on good authority that this should not be too troublesome with the proper data in-hand.

    Our plugin already pulls in some login information, which is what the event you see that is otherwise unaccounted for demonstrates. The "system: login: INET3$ network share (192.168.1.3)" is indicating a machine mount login to a network share on the monitored platform. If I am not mistaken, I believe that this one correlates to an "Event_ID: 540" event in the Security Events Log.


  • 7.  RE: Monitor Window Event Logs

    Broadcom Employee
    Posted Nov 30, 2006 09:41 PM
    Hi Eric,

    I just checked in a plugin that can track the Security Event Log
    along with collecting a few security related metrics from the Windows
    performance counters:

    http://svn.hyperic.org/branches/HQ_2_7/plugins/examples/windows-
    security-plugin.xml?root=Hyperic+HQ&view=log

    Deploy following these steps:
    http://support.hyperic.com/confluence/display/DOCSHQ27/Plugin
    +Development+Center#PluginDevelopmentCenter-deployment

    Let us know if this provides the info you need. We could also
    consider building this into the existing system plugin.

    On Nov 28, 2006, at 1:25 AM, Eric Case wrote:

    >> OK. Out-of-the-box, event log tracking only monitors
    >> system events at the platform level,
    >
    > Hmm. I guess I can use the "Windows Service" Service Type to
    > monitor some things like the File Replication Service, but how do I
    > monitor for security events? I'd like to set an alert for failed
    > security audits and other events that are out of the norm.
    >
    >
    >> On the platform.log_track.level setting, your
    >> configuration is exactly opposite of expected
    >> behavior.
    >
    > Ok, changing the setting to debug produces more alerts and
    > they mostly match up with what I see in the system event log. I'm
    > getting an alert that I can't find in the Event Viewer, "system:
    > login: INET3$ network share (192.168.1.3)"
    > -Eric




  • 8.  RE: Monitor Window Event Logs

    Posted Dec 05, 2006 04:05 PM
    At 01:41 PM 11/30/2006 -0800, Doug MacEachern wrote:
    >I just checked in a plugin that can track the Security Event Log
    >along with collecting a few security related metrics from the Windows
    >performance counters:

    Thanks Doug,

    I added the plugin, added the service but I'm not sure where to
    go from here. I guess I need to add the alerts to the service? Will
    the security event logs show up in the platform logs?

    I assume that I can just open the xml file and edit it to make
    plugins for the other event logs. What's the pros and cons to making
    a single plugin to monitor multiple event logs like, Application,
    Directory Service, DNS Server, File Replication Service and Security?
    -Eric



    Eric Case, CISSP <ecase@Email.Arizona.EDU>
    Support Systems Analyst, Principal
    Department of Chemical & Environmental
    Engineering <http://www.CHEE.Arizona.EDU>
    1133 E James E. Rogers Way (Room 108)
    Tucson, AZ 85721-0011
    Mobile Phone 520-275-6436




  • 9.  RE: Monitor Window Event Logs

    Broadcom Employee
    Posted Dec 15, 2006 03:07 AM
    On Dec 5, 2006, at 8:04 AM, Eric Case wrote:

    > At 01:41 PM 11/30/2006 -0800, Doug MacEachern wrote:
    >> I just checked in a plugin that can track the Security Event Log
    >> along with collecting a few security related metrics from the Windows
    >> performance counters:
    >
    > Thanks Doug,
    >
    > I added the plugin, added the service but I'm not sure where
    > to go from here. I guess I need to add the alerts to the service?
    > Will the security event logs show up in the platform logs?

    Hi Eric,

    That's right, after creating the service, create your alerts for that
    service just as you had done for the platform. However, the security
    events will show up at the service level.

    > I assume that I can just open the xml file and edit it to make
    > plugins for the other event logs. What's the pros and cons to
    > making a single plugin to monitor multiple event logs like,
    > Application, Directory Service, DNS Server, File Replication
    > Service and Security?
    >

    We chose to attach event logs to specific resource types, for example:

    System -> Windows Platform defined in the system plugin
    Directory Service -> Active Directory server type defined in the ntds
    plugin
    Application -> Various plugins, depending on the event source: iis,
    mssql, exchange, ntds

    The idea was correlate log events with monitoring provided by each
    resource type.
    It sounds like you'd prefer to have events from all logs tied to a
    single resource, I can see advantages to that.
    How about if we change the system plugin to included a check box [x]
    Monitor all event logs
    Where, the default would still be the System log, but if the box is
    checked, the plugin would monitor all?



  • 10.  RE: Monitor Window Event Logs

    Posted Dec 16, 2006 10:37 PM
    At 07:07 PM 12/14/2006 -0800, Doug MacEachern wrote:
    >It sounds like you'd prefer to have events from all logs tied to a
    >single resource, I can see advantages to that.
    >How about if we change the system plugin to included a check box [x]
    >Monitor all event logs
    >Where, the default would still be the System log, but if the box is
    >checked, the plugin would monitor all?

    That would be good. I think the ideal event log monitor would
    send events that have not been excluded (if it doesn't correlate the
    events). An event like booting up will produce a bunch of event
    logs; if we could correlate that "bunch" into a single event that
    would be assume. Given that is not easy to do, I think the next best
    thing is to list the event logs to exclude. Maybe I don't care to
    get a alert every time the system logs the up time, every successful
    log in, any information only events, and "other background noise" but
    anything I didn't tell it to exclude I want to know about. If I knew
    exactly what events to monitor for today, I won't know what new ones
    will be added tomorrow. It's the unknown that has me worried.
    -Eric


    Eric Case, CISSP <ecase@Email.Arizona.EDU>
    Support Systems Analyst, Principal
    Department of Chemical & Environmental
    Engineering <http://www.CHEE.Arizona.EDU>
    1133 E James E. Rogers Way (Room 108)
    Tucson, AZ 85721-0011
    Mobile Phone 520-275-6436




  • 11.  RE: Monitor Window Event Logs

    Broadcom Employee
    Posted Dec 19, 2006 04:00 AM
    ok, I opened an enhancement to implement this: http://jira.hyperic.com/browse/HHQ-405

    I'll attach an updated plugin there when it's ready.

    On Dec 16, 2006, at 2:36 PM, Eric Case wrote:

    > At 07:07 PM 12/14/2006 -0800, Doug MacEachern wrote:
    >> It sounds like you'd prefer to have events from all logs tied to a
    >> single resource, I can see advantages to that.
    >> How about if we change the system plugin to included a check box [x]
    >> Monitor all event logs
    >> Where, the default would still be the System log, but if the box is
    >> checked, the plugin would monitor all?
    >
    > That would be good. I think the ideal event log monitor would
    > send events that have not been excluded (if it doesn't correlate
    > the events). An event like booting up will produce a bunch of
    > event logs; if we could correlate that "bunch" into a single event
    > that would be assume. Given that is not easy to do, I think the
    > next best thing is to list the event logs to exclude. Maybe I
    > don't care to get a alert every time the system logs the up time,
    > every successful log in, any information only events, and "other
    > background noise" but anything I didn't tell it to exclude I want
    > to know about. If I knew exactly what events to monitor for today,
    > I won't know what new ones will be added tomorrow. It's the
    > unknown that has me worried.
    > -Eric
    >
    >
    > Eric Case, CISSP <ecase@Email.Arizona.EDU>
    > Support Systems Analyst, Principal
    > Department of Chemical & Environmental Engineering <http://
    > www.CHEE.Arizona.EDU>;
    > 1133 E James E. Rogers Way (Room 108)
    > Tucson, AZ 85721-0011
    > Mobile Phone 520-275-6436
    >

    Message was edited by: rmorgan


  • 12.  RE: Monitor Window Event Logs

    Broadcom Employee
    Posted Mar 09, 2007 01:03 AM

    Meant to follow up earlier... this feature was included in the 3.0 release.  Eric, let us know if this does what you need!

    On Dec 18, 2006, at 8:00 PM, Doug MacEachern wrote:

    ok, I opened an enhancement to implement this: http://
    jira.hyperic.com/browse/HHQ-405
    I'll attach an updated plugin there when it's ready.

    On Dec 16, 2006, at 2:36 PM, Eric Case wrote:

    > At 07:07 PM 12/14/2006 -0800, Doug MacEachern wrote:
    >> It sounds like you'd prefer to have events from all logs tied to a
    >> single resource, I can see advantages to that.
    >> How about if we change the system plugin to included a check box [x]
    >> Monitor all event logs
    >> Where, the default would still be the System log, but if the box is
    >> checked, the plugin would monitor all?
    >
    >      That would be good.  I think the ideal event log monitor would 
    > send events that have not been excluded (if it doesn't correlate 
    > the events).  An event like booting up will produce a bunch of 
    > event logs; if we could correlate that "bunch" into a single event 
    > that would be assume.  Given that is not easy to do, I think the 
    > next best thing is to list the event logs to exclude.  Maybe I 
    > don't care to get a alert every time the system logs the up time, 
    > every successful log in, any information only events, and "other 
    > background noise" but anything I didn't tell it to exclude I want 
    > to know about.  If I knew exactly what events to monitor for today, 
    > I won't know what new ones will be added tomorrow.  It's the 
    > unknown that has me worried.
    > -Eric
    >
    >
    > Eric Case, CISSP  <ecase@Email.Arizona.EDU>
    > Support Systems Analyst, Principal
    > Department of Chemical & Environmental Engineering   <http://
    > www.CHEE.Arizona.EDU>
    > 1133 E James E. Rogers Way (Room 108)
    > Tucson, AZ 85721-0011
    > Mobile Phone 520-275-6436
    >