[Xymon] Windows XymonPSClient v2.41
Timothy Williams
tlwilliams4 at vcu.edu
Tue Mar 19 14:33:02 CET 2019
OK, figured it out. Needed to enclose whole log name in quotes. I guess
Xymon saw the space as end of log name and the Defender/Operational as a
pattern match within the (truncated) logname. Logical once I slept on it
and looked at it. We can now alert on the crucial Informational alerts such
as Engine Update failed, etc.
Tim Williams
On Mon, Mar 18, 2019 at 3:50 PM Timothy Williams <tlwilliams4 at vcu.edu>
wrote:
> Zak and all, I've been testing the events in the Windows Defender log
> using the new version 2.41. I can pick up the logs and see events on Xymon
> server MSGS , but can't get analysis to send any alerts. Luckily I don't
> have any true red or yellow events, but we do want some information events
> reported on. We have tried these in the Analysis file, also with/without
> the brackets and with %^[2000] and %^2000 and %2000 and %[2000]. Can you
> see what is wrong? Is it the space in log name, or the slash? The order of
> HOST before CLASS? Some other syntax error? The log name as shown is
> clickable on Msgs page, so Xymon is handling it.
>
> HOST=WINDOWS2016
> LOG eventlog_Microsoft-Windows-Windows Defender/Operational
> Error|Warning
> LOG eventlog_Microsoft-Windows-Windows Defender/Operational
> [2000] COLOR=yellow
>
> CLASS=powershell
> UP 30m
> LOAD 90 95
> DISK * 85 95
> MEMACT 98 101
> MEMPHYS 90 95
> MEMSWAP 85 95
> FILE C:\Utils\XymonClient_Config.xml
> LOG eventlog_application Error|Warning
> IGNORE=[1008],[2004],[1018],[1022],[11],[1524],[1030],[2003],[4099],[8005],[12289],SAVOnAccessFilter
> LOG eventlog_system Error
> IGNORE=[36871],[36874],[1002],[513],[4879],[36887],[1030],[36888],[6037],[1],DCOM,Print,TermServDevices,SAVOnAccessFilter
> LOG eventlog_system Warning COLOR=yellow
>
> Here are some examples from MSGS page:
>
> green No notable entries in* eventlog_Microsoft-Windows-Windows
> Defender/Operational*
> green No notable entries in *EventlogSummary*
>
>
> Full log: *eventlog_Microsoft-Windows-Windows Defender/Operational*
> Information - 03/18/2019 15:31:19 - [1150] - Microsoft-Windows-Windows
> Defender - Endpoint Protection client is up and running in a healthy state.
> Platform version: 4.18.1902.2
> Engine version: 1.1.15700.9
> Signature version: 1.289.1473.0
>
> Information - 03/18/2019 10:41:31 - [2000] - Microsoft-Windows-Windows
> Defender - Windows Defender signature version has been updated.
> Current Signature Version: 1.289.1473.0
> Previous Signature Version: 1.289.1448.0
>
> Thanks, Tim Williams
>
>
> On Thu, Mar 7, 2019 at 6:37 AM Beck, Zak <zak.beck at accenture.com> wrote:
>
>> Hi
>>
>>
>>
>> I have committed v2.41 today – bit of a version number jump because we’ve
>> been testing a number of small fixes internally before releasing.
>>
>> Download from SVN
>> <https://sourceforge.net/p/xymon/code/HEAD/tree/sandbox/WinPSClient/>
>> (the documentation has been updated also, including uninstall instructions).
>>
>>
>>
>> Key changes:
>>
>>
>>
>> - replaced classic event log discovery (Get-EventLog) with
>> Get-WinEvent - this opens up new event logs like Windows Defender etc
>> - removed [EventLogSummary] section - [msgs:EventLogSummary] works
>> - incorporated function XymonEventLogs into core event log processing
>> (function XymonMsgs) - this allows the summary to only contain the logs in
>> eventlogswanted
>>
>>
>>
>> This is the main change, which should not impact but does open up new
>> options. Newer versions of Windows have a new event log format only
>> accessible via Get-WinEvent and there was one place in the code still using
>> the classic commands. This change means you can now specify these new event
>> logs in eventlogswanted, like this:
>>
>>
>>
>> eventlogswanted:application,system,Microsoft-Windows-Windows
>> Defender/Operational:2500000:information,critical,error
>>
>>
>>
>> One side effect of this is that the event log summary now only contains
>> the logs specified in eventlogswanted because there are hundreds of
>> non-classic event logs available on typical installations.
>>
>>
>>
>> - add different status colour options for XymonSendLog (contributed
>> by Andy Smith <abs at shadymint.com>)
>>
>>
>>
>> This is the second key change – the idea is to capture the logs when the
>> client is updated (which occurs on a slowscan). The additions to the
>> xymonlogsend directive allow you to change colour on a slow scan and a
>> client restart, which causes a history change in Xymon – this means you can
>> then view the logs from those changes in the Xymon front end using the
>> history options.
>>
>>
>>
>> Example: xymonlogsend:clear:yellow – send a clear status on a slow scan
>> and a yellow status on a restart – all other logs will be sent with green
>> status.
>>
>>
>>
>> - XymonLog - fix exception when no files match the given filespec
>> - add enablediskpart client-local directive so diskpart can be
>> controlled from server
>>
>>
>>
>> Cheers
>>
>>
>>
>> Zak
>>
>>
>>
>> ------------------------------
>>
>> This message is for the designated recipient only and may contain
>> privileged, proprietary, or otherwise confidential information. If you have
>> received it in error, please notify the sender immediately and delete the
>> original. Any other use of the e-mail by you is prohibited. Where allowed
>> by local law, electronic communications with Accenture and its affiliates,
>> including e-mail and instant messaging (including content), may be scanned
>> by our systems for the purposes of information security and assessment of
>> internal compliance with Accenture policy. Your privacy is important to us.
>> Accenture uses your personal data only in compliance with data protection
>> laws. For further information on how Accenture processes your personal
>> data, please see our privacy statement at
>> https://www.accenture.com/us-en/privacy-policy.
>>
>> ______________________________________________________________________________________
>>
>> www.accenture.com
>> _______________________________________________
>> Xymon mailing list
>> Xymon at xymon.com
>> http://lists.xymon.com/mailman/listinfo/xymon
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20190319/d24cc9c7/attachment.html>
More information about the Xymon
mailing list