[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Questions about Windows event log monitoring
- To: <hobbit (at) hswn.dk>
- Subject: Questions about Windows event log monitoring
- From: "Daniel Elswit" <de21 (at) cornell.edu>
- Date: Fri, 18 Jul 2008 08:43:00 -0400
- Organization: Cornell University
- Thread-index: Acjo08+EPbpBH5KyT+WZSzKt9shn0Q==
Greetings. I'm still working a few things out with my Hobbit config. I'm
using Hobbit 4.2 and BBWin .12. At the moment I'm trying to sort out how to
filter on logs by machine. For example, none of the "LOG" statements in the
following hobbit-clients.cfg file have any effect. Another related question
I have is regarding the HOST name field. I'm using the hostnames specified
by the "client:" tag from bb-hosts as opposed to the fully qualified name.
Is that correct (it didn't seem to work when I tried the FQ name either for
that matter.) I'm using centralized mode. Should I be using local mode
instead for Windows event log filtering? Also, how do I specify a specific
event log name? Do I use the evt file name itself? Do I need to include
the path to it?
HOST=BUTTERMILK
PROC inetinfo.exe 1 1
LOG %.* %.*error.* COLOR=yellow IGNORE=definition
DEFAULT
UP 1h
LOAD 75 90
DISK * 90 95
MEMPHYS 85 100
MEMSWAP 75 95
MEMACT 90 97
LOG %.* %.*error.* COLOR=yellow IGNORE=password
LOG %.* %.*error.* COLOR=yellow IGNORE=printer
The Win32 part of my client-local.cfg looks like this:
[win32]
eventlog:Security
ignore Success
eventlog:System
ignore Information
eventlog:Application
ignore Information
Thanks much
--Dan
=============================================
Daniel Elswit
Assistant Director of Information Technology,
College of Agriculture & Life Sciences
Cornell University
Ithaca, NY, USA
de21 (at) cornell.edu
(607) 255-5658
http://www.cals.cornell.edu/cals/cals-it/