NetXMS Support Forum

I have read the manual but could not find any really good example on how to configure the agent/server to gather logs from windows syslog and post an alarm if some critical error arrived. For example:

Windows server warns critical or warning in application syslog.
Netxms gathers that log and posts a warning/alarm to the server and/or by mail.

Can anyone give me some help on the way on how to configure that?

Hi!

For example, we want to send email for every critical event in Windows "Application" event log. To achieve that, we should:

1. Create new event in NetXMS (via Control Panel -> Events). Remember ID assigned to new event. For example, let's call our new event EVENTLOG_ERROR and assume that ID 100001 was assigned to it. Set message template to

ERROR: %1

2. Create parser configuration file. To generate event with code 100001 on each error message it will looks like following:

<parser>
  <file>*Application</file>
  <rules>
    <rule>
      <severity>1</severity>
      <match>(.*)</match>
      <event params="1">100001</event>
    </rule>
  </rules>
</parser>

3. Configure LogWatch subagent:

in main section of nxagentd.conf:
SubAgent = logwatch.nsm

in LogWatch section:
*LogWatch
Parser = our_parser_file.xml

4. Restart agent

5. Add appropriate rule to event processing policy (send e-mail for each EVENTLOG_ERROR event)

That's all - now server should send e-mails for every error message written to application event log.

Best regards,
Victor

I will try it out! Thank you for the answer. It is always great when the Developers are active and assisting the community! 

Works like a charm! Thank you!

Denj dobrij Victor.
Nastroil poluchenie eventov kak raspisano nize. Est' vopros: event poluchjaju na NetXMS server, no v e-mail body hotelosj bi videt' toze chto i v evente. V nastrojkah "event processing policy editor" est tablica "scripts" mozet est' obrazec configa?

Spasibo

Quote from: Victor Kirhenshtein on January 28, 2010, 01:19:18 AM
Hi!

For example, we want to send email for every critical event in Windows "Application" event log. To achieve that, we should:

1. Create new event in NetXMS (via Control Panel -> Events). Remember ID assigned to new event. For example, let's call our new event EVENTLOG_ERROR and assume that ID 100001 was assigned to it. Set message template to

ERROR: %1

2. Create parser configuration file. To generate event with code 100001 on each error message it will looks like following:

<parser>
  <file>*Application</file>
  <rules>
    <rule>
      <severity>1</severity>
      <match>(.*)</match>
      <event params="1">100001</event>
    </rule>
  </rules>
</parser>

3. Configure LogWatch subagent:

in main section of nxagentd.conf:
SubAgent = logwatch.nsm

in LogWatch section:
*LogWatch
Parser = our_parser_file.xml

4. Restart agent

5. Add appropriate rule to event processing policy (send e-mail for each EVENTLOG_ERROR event)

That's all - now server should send e-mails for every error message written to application event log.

Best regards,
Victor

Hi,

I am new to all this and I have been tasked with getting event log monitoring to work exactly as described in this thread.
I am running version 1.1.2 of the server and agent, I have configured everything as above but no logs entries are being found by the server (or perhaps the agent)

I don't believe it is doing anything at all.

Is this a 64-bit issue?

Hi!

I don't think it's a 64-bit issue. Could you please post your agent's configuration files? Also, you can try to debug log parser by doing the following:

1. Change agent logging destination to file by setting LogFile = some_file in nxagentd.conf;
2. Add "trace" option to your log parser, like this:

<parser trace="7">

3. Stop agent's service and run agent in debug mode:

nxagentd -c <path_to_nxagentd.conf> -D 9

And watch how parser process events.

Best regards,
Victor

Hi, thanks for your response.

I have managed to get it working on Win 2003 64-bit overnight, with the same config and agent versions as my 2008 installs.

my current parse file is:
<parser>
  <file>*Application</file>
  <rules>
    <rule>
      <level>3</level>
      <match>(.*)</match>
      <event params="1">100002</event>
    </rule>
  </rules>
</parser>

my agent config is:

#
# NetXMS agent configuration file
# Created by agent installer at Fri Jun 17 17:14:54 2011
#

MasterServers = 192.168.76.199
LogFile = C:\netXMS\nxagentd.log
FileStore = C:\NetXMS\var
SubAgent = ecs.nsm
SubAgent = ping.nsm
SubAgent = logwatch.nsm
SubAgent = portcheck.nsm
SubAgent = winperf.nsm
SubAgent = wmi.nsm
SubAgent = ups.nsm

*LogWatch
Parser = C:\NetXMS\etc\parser_file.xml

I am enabling debugging now and will update with details when I have some! Thanks again

Within minutes of tracing I have this message:

Call to EvtFormatMessage failed: The specified resource language ID cannot be found in the image file.

This is Windows 2008 Enterprise SP2 English

Thanks in advance...

i have tried this again on a different server and got this error:

Call to EvtFormatMessage failed: The resource loader failed to find MUI file.

Are agent running under local system account or under some user account?

They are running as Domain Administrator

I found the following issue with Windows 2008 SP2: http://support.microsoft.com/kb/2415605. However, it only applies to domain controllers with locale settings other than English United States. Can it be your case?

This is possible, I will try on some none DC machines however it's primarily for Exchange logging that I want to use the feature

I have tried installing thew hotfix provided but I'm still getting the same errors