[Xymon] [External] Re: Windows XymonPSClient v2.41

Beck, Zak zak.beck at accenture.com
Tue Mar 19 14:49:35 CET 2019 

Hi

Thatโ€™s great, really pleased that this new addition is working out for you ๐Ÿ™‚.

It might be useful if you could share an example of your working config, as you have of your non-working config.

Thanks

Zak

From: Timothy Williams <tlwilliams4 at vcu.edu>
Sent: Tuesday, 19 March 2019 13:33
To: Beck, Zak <zak.beck at accenture.com>
Cc: xymon at xymon.com
Subject: [External] Re: [Xymon] Windows XymonPSClient v2.41

This message is from an EXTERNAL SENDER - be CAUTIOUS, particularly with links and attachments.
________________________________

OK, figured it out. Needed to enclose whole log name in quotes. I guess Xymon saw the space as end of log name and the Defender/Operational as a pattern match within the (truncated) logname. Logical once I slept on it and looked at it. We can now alert on the crucial Informational alerts such as Engine Update failed, etc.

Tim Williams


On Mon, Mar 18, 2019 at 3:50 PM Timothy Williams <tlwilliams4 at vcu.edu<mailto:tlwilliams4 at vcu.edu>> wrote:
Zak and all, I've been testing the events in the Windows Defender log using the new version 2.41. I can pick up the logs and see events on Xymon server MSGS , but can't get analysis to send any alerts. Luckily I don't have any true red or yellow events, but we do want some information events reported on.  We have tried these in the Analysis file, also with/without the brackets and with %^[2000] and %^2000 and %2000 and %[2000]. Can you see what is wrong? Is it the space in log name, or the slash? The order of HOST before CLASS? Some other syntax error? The log name as shown is clickable on Msgs page, so Xymon is handling it.

HOST=WINDOWS2016
        LOG     eventlog_Microsoft-Windows-Windows Defender/Operational Error|Warning
        LOG     eventlog_Microsoft-Windows-Windows Defender/Operational [2000] COLOR=yellow

CLASS=powershell
        UP      30m
        LOAD    90 95
        DISK    * 85 95
        MEMACT  98 101
        MEMPHYS 90 95
        MEMSWAP 85 95
        FILE    C:\Utils\XymonClient_Config.xml
        LOG     eventlog_application Error|Warning IGNORE=[1008],[2004],[1018],[1022],[11],[1524],[1030],[2003],[4099],[8005],[12289],SAVOnAccessFilter
        LOG     eventlog_system Error IGNORE=[36871],[36874],[1002],[513],[4879],[36887],[1030],[36888],[6037],[1],DCOM,Print,TermServDevices,SAVOnAccessFilter
        LOG     eventlog_system Warning COLOR=yellow

Here are some examples from MSGS page:

green No notable entries in eventlog_Microsoft-Windows-Windows Defender/Operational
green No notable entries in EventlogSummary


Full log: eventlog_Microsoft-Windows-Windows Defender/Operational
Information - 03/18/2019 15:31:19 - [1150] - Microsoft-Windows-Windows Defender - Endpoint Protection client is up and running in a healthy state.
  Platform version: 4.18.1902.2
  Engine version: 1.1.15700.9
  Signature version: 1.289.1473.0

Information - 03/18/2019 10:41:31 - [2000] - Microsoft-Windows-Windows Defender - Windows Defender signature version has been updated.
  Current Signature Version: 1.289.1473.0
  Previous Signature Version: 1.289.1448.0

Thanks, Tim Williams


On Thu, Mar 7, 2019 at 6:37 AM Beck, Zak <zak.beck at accenture.com<mailto:zak.beck at accenture.com>> wrote:
Hi

I have committed v2.41 today โ€“ bit of a version number jump because weโ€™ve been testing a number of small fixes internally before releasing.
Download from SVN<https://urldefense.proofpoint.com/v2/url?u=https-3A__sourceforge.net_p_xymon_code_HEAD_tree_sandbox_WinPSClient_&d=DwMFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=S-aLwpx-PHBTBMIG_c2JczRC0SfuZCmsiH9Iams25FI&m=Jn7S_TBlopQDOAw4jZza5IsXSo9-GGpGvG4DmUwFFqA&s=oImKDtZItOUKWl8KMwD4-M0tY4FPJbCuBzJHTEYVGEk&e=> (the documentation has been updated also, including uninstall instructions).

Key changes:


  *   replaced classic event log discovery (Get-EventLog) with Get-WinEvent - this opens up new event logs like Windows Defender etc
  *   removed [EventLogSummary] section - [msgs:EventLogSummary] works
  *   incorporated function XymonEventLogs into core event log processing (function XymonMsgs) - this allows the summary to only contain the logs in eventlogswanted

This is the main change, which should not impact but does open up new options. Newer versions of Windows have a new event log format only accessible via Get-WinEvent and there was one place in the code still using the classic commands. This change means you can now specify these new event logs in eventlogswanted, like this:

eventlogswanted:application,system,Microsoft-Windows-Windows Defender/Operational:2500000:information,critical,error

One side effect of this is that the event log summary now only contains the logs specified in eventlogswanted because there are hundreds of non-classic event logs available on typical installations.


  *   add different status colour options for XymonSendLog (contributed by Andy Smith <abs at shadymint.com<mailto:abs at shadymint.com>>)

This is the second key change โ€“ the idea is to capture the logs when the client is updated (which occurs on a slowscan). The additions to the xymonlogsend directive allow you to change colour on a slow scan and a client restart, which causes a history change in Xymon โ€“ this means you can then view the logs from those changes in the Xymon front end using the history options.

Example: xymonlogsend:clear:yellow โ€“ send a clear status on a slow scan and a yellow status on a restart โ€“ all other logs will be sent with green status.


  *   XymonLog - fix exception when no files match the given filespec
  *   add enablediskpart client-local directive so diskpart can be controlled from server

Cheers

Zak


________________________________

This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy.
______________________________________________________________________________________

www.accenture.com<http://www.accenture.com>
_______________________________________________
Xymon mailing list
Xymon at xymon.com<mailto:Xymon at xymon.com>
http://lists.xymon.com/mailman/listinfo/xymon<https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.xymon.com_mailman_listinfo_xymon&d=DwMFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=S-aLwpx-PHBTBMIG_c2JczRC0SfuZCmsiH9Iams25FI&m=Jn7S_TBlopQDOAw4jZza5IsXSo9-GGpGvG4DmUwFFqA&s=0-wzUVJsc94_BAaUM4BApshhC4KdePmt3fRti9qcYKI&e=>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20190319/a07657da/attachment.html>

More information about the Xymon mailing list