Windows Event logs monitor added to Xymonton

David Baldwin david.baldwin at ausport.gov.au
Tue Aug 17 11:09:40 CEST 2010 

This is my solution for the deficiencies of both BBNT's msgs and BBwin
(broken in central mode) windows event log reporting. Neither
effectively work for Vista/2008 to my knowledge.

http://xymonton.trantor.org/doku.php/monitors:winevtmsgs.pl

Reports on Windows Event logs forwarded with SNARE (a free Windows event
log forwarder over syslog)
http://www.intersectalliance.com/projects/SnareWindows/index.html

Each Windows server needs the appropriate version of Snare installed
(Vista/2008 different from older versions of Windows) and configured to
forward to central syslog server.

Install on central syslog server. Assumed this is the same as xymon
server (need to use bb-hosts 'evt' tag to denote tested hosts).
Sample config for using rsyslog documented.

Can also report on cluster nodes and cluster resources (e.g. SQL or
Exchange) - in such cases each cluster node forwards all events for all
nodes.

Highly configurable alerting on various event log fields by exact string
match or regexp. Sample rule:

#  sample rule:
#    DCs (Domain Controllers)
#    host name specified by regexp
#    ignore System:MRxSMB 8003 messages about Browser service
#    yellow on System:KDC 26 messages (often Error, but not that
significant)
#    green on System:NETLOGON (various) messages (often Error) about
deleted/disabled/etc computer accounts
#
#          "DCs" => {
#               "host" => qr/^(dc\d+)/i,
#           "ignore" => {
#               "Browser" => {
#                   "src" => "System",
#                   "cat" => "MRxSmb",
#                   "evn" => qr/^(8003)$/,
#               },
#           },
#           "yellow" => {
#               "KDC" => {
#                   "src" => "System",
#                   "cat" => "KDC",
#                   "evn" => "26",
#               },
#           },
#           "green" => {
#               "NoCompAcct" => {
#                   "src" => "System",
#                   "cat" => "NETLOGON",
#                   "evn" => qr/^(5719|572[23]|5805)$/,
#               },
#           },
#          },


Any questions, suggestions, problems drop me a line.

David.

-- 
David Baldwin - IT Unit
Australian Sports Commission          www.ausport.gov.au
Tel 02 62147830 Fax 02 62141830       PO Box 176 Belconnen ACT 2616
david.baldwin at ausport.gov.au          Leverrier Street Bruce ACT 2617


-------------------------------------------------------------------------------------
Keep up to date with what's happening in Australian sport visit http://www.ausport.gov.au

This message is intended for the addressee named and may contain confidential and privileged information. If you are not the intended recipient please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you receive this message in error, please delete it and notify the sender.
-------------------------------------------------------------------------------------

More information about the Xymon mailing list