[Xymon] Windows Event Logs - Central Mode bbwin
Brandon Dale
bdale at kitchen-net.com.au
Wed Sep 24 04:37:32 CEST 2014
Hi,
New to xymon, currently testing on a few windows servers running 2003,2008,2012. I am using the bbwin client at the moment but am also aware of the PowerShell client (which I haven't tested yet). bbwin clients are all running in central mode and successfully sending data to the xymon server.
I'll give a brief background on what I have done to get event logs to work at all (this took lots of googling and playing around) I think this is the correct way to do it in central mode, if not please let me know and point me in the right direction as there isn't much information on the windows side of things:
1. Added this to analysis.cfg
CLASS=win32
LOG %.* %^critical.* COLOR=red
LOG %.* %^error.* COLOR=red
LOG %.* %^failure.* COLOR=yellow
LOG %.* %^warning.* COLOR=yellow
This seems to work, the for example In the eventvwr where an event has Level=Warning in xymon this goes yellow.
2. Added rules in client-local.cfg to filter out certain events , this seems to use the description of the event and doesn't read the level at all (took a lot of googling and testing to work this out)
[win32]
eventlog:security:10240
ignore .* permitted a connection
ignore .* permitted a bind
ignore Windows Firewall blocked an application
eventlog:system:10240
ignore Big Brother Xymon Client service
ignore .* The local computer may not have the necessary registry information
eventlog:application:10240
ignore The (service BBWin|agent \w+\.dll) has been success
ignore The agent externals generated this event message
ignore .* shutting down due to idle timeout
Now the above all seems to work, events appear in the msgs column in xymon and they don't include any of the ones listed in the client-local.cfg. I can see the content of client-local.cfg being sent to the local machines and it all works.
My questions are
1. Why can't I filter on Success, Information etc in the client-local.cfg ? does this just not work or am I doing it wrong.
2. Messages eventually disappear from the msgs column, so an error that had triggered it to go red will eventually go green even though the error may never have been fixed. I understand why this happens as it doesn't log an event to say the error is fixed so in that example it would always be red. But what controls how long the messages stay on the messages page for? And is there any way to for example have anything that is non green stay there until somehow they are acknowledged. Sort of like a to-do list of errors to resolve on each server.
3. Does any of this work better/differently in the PowerShell client?
Brandon.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20140924/7d94e9ea/attachment.html>
More information about the Xymon
mailing list