» Windows Event Log Monitoring

LogicMonitor can detect, and alert on, any event recorded in Windows Event logs.  An event source must be defined to match the characteristics of an event or events in order to trigger an alert .

To define a new event source:

1. Under Settings... Datasources , click on New button in the upper left corner, click EventSource, and select Windows Event Logging in the Type drop down menu:

The EventSource form above will display alert for any Windows log event with Event ID = 7040 (service startup type change), which contains string "disabled" in the message.

Applies To is used to associate an EventSource with a particular host (or group of hosts). Click here for more details. In the example above, isWindows() means the eventsource will be associated with any Windows host.
Group field (optional) is used to group several EventSources in a folder.
Filters section (optional) – defines the characteristics that event log messages must have in order to be matched by this event source and have an alert raised. Note that all defined filters must all be met for an event.
You can filter on the alert event ID, level, Logname, message, and sourcename. Note: By default, LogicMonitor excludes all events of level Informational.  Thus if you specified a filter of Logname equals System, with no other filters, you would see all events except those of informational level. In order to raise alerts on Informational level events, you must specify the event explicitly by ID.

To match multiple event IDs, you can use the regular expression matching filters, and separate the event IDs with a pipe symbol | but ensure there are no extra spaces.

Alert Settings define the characteristics of the alert that is raised when an event is detected that matches the filters of this event source.

Effective Interval field defines a period of time in minutes to regard the event as being in alert. For example, given an Effective Interval of 60, an event such as system restart will show as a current alert for 60 minutes after the event is detected. This gives time for the alert to be escalated. After the Effective Interval has expired, the host will no longer be in alert from this event. (Of course, the alert will be visible in the alert history, and will have been sent according to applicable escalation rules already.)

When an event is detected by a collector, and is matched by a filter, it will be displayed in the Hosts Tab and Alert tab.

Contents

© 2008 - 2012 LogicMonitor Inc. All rights reserved.