[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Questions about Windows event log monitoring



Greetings.  I'm still working a few things out with my Hobbit config.  I'm
using Hobbit 4.2 and BBWin .12.  At the moment I'm trying to sort out how to
filter on logs by machine.  For example, none of the "LOG" statements in the
following hobbit-clients.cfg file have any effect.  Another related question
I have is regarding the HOST name field.  I'm using the hostnames specified
by the "client:" tag from bb-hosts as opposed to the fully qualified name.
Is that correct (it didn't seem to work when I tried the FQ name either for
that matter.)  I'm using centralized mode.  Should I be using local mode
instead for Windows event log filtering?  Also, how do I specify a specific
event log name?  Do I use the evt file name itself?  Do I need to include
the path to it?

HOST=BUTTERMILK
	PROC	inetinfo.exe 1 1
	LOG	%.* %.*error.* COLOR=yellow IGNORE=definition
	
DEFAULT
	UP      1h
	LOAD    75 90
	DISK    * 90 95
	MEMPHYS 85 100
	MEMSWAP 75 95
	MEMACT  90 97
	LOG	%.* %.*error.* COLOR=yellow IGNORE=password
	LOG	%.* %.*error.* COLOR=yellow IGNORE=printer

The Win32 part of my client-local.cfg looks like this:
[win32]
eventlog:Security
ignore Success
eventlog:System
ignore Information
eventlog:Application
ignore Information

Thanks much
--Dan


=============================================
Daniel Elswit
Assistant Director of Information Technology,
College of Agriculture & Life Sciences
Cornell University
Ithaca, NY, USA
de21 (at) cornell.edu
(607) 255-5658
http://www.cals.cornell.edu/cals/cals-it/