NetXMS Support Forum

Hi,

another topic that I try to wrap my head around. I'm trying to get alarms on different windows events. For the moment I just want a warning message.

So, I have configured Windows Event Log to be pushed to NetXMS server. Does work.
I have configured the Windows Event Parser like this:


<parser trace="0" name="WindowsEventLog">
   <macros/>
   <rules>
      <rule name="SQL Login failed">
         <match repeatInterval="0" reset="false">(.*)</match>
         <event>WIN_EVENT_RECORD_MATCHED</event>
         <id>18456</id>
         <logName>Application</logName>
         <agentAction action=""></agentAction>
      </rule>
      <rule name="SQL Login failed">
         <match repeatInterval="0" reset="false">(.*)</match>
         <event>WIN_EVENT_RECORD_MATCHED</event>
         <id>18452</id>
         <logName>Application</logName>
         <agentAction action=""></agentAction>
      </rule>
   </rules>
</parser>

A couple of questions already:
- The parser is asking for a name, but it seems like you only can have one. So why does it ask for a name and what does the name matter?
- For templates you can define Agent Policies and within a Log Parser. The UI looks similar. Is this a place where Windows Event Parser can be defined as well?

Ok then I defined the Event WIN_EVENT_RECORD_MATCHED with severity of Warning and a message of: Windows event ID %3: "%1"
As I understood the documentation n+2 (= %3) should be the EventID - but it is just empty.

Furthermore, in Event Processing Policy I created an alarm with Message "%m" and Alarm key of "WIN_EVT_%i_%3" to group id by Event ID. But as %3 is empty all events from a single machine are merged.

What am I doing wrong?

Cheers

Hi!

For historical reasons there are two approaches to monitoring windows event logs.
1) Log parser policy in Template. Windows event log is specified in "File path" field prepended by *, e.g. "*System". Parsing is done on agent side. If something matches, agent sends event to server.
This approach allows to specify different templates for different nodes.

2) Windows event log syncronization. https://www.netxms.org/documentation/adminguide/windows-event-log-synchronization.html
This was developed for a customer, who needed to actually store windows event logs centrally. In agent config some filters are specified to include/exclude logs by some parameters. Then logs are sent to server and stored (storing can be omitted by rule(s) in parser).
When logs arrive at the server, they are parsed according to rules specified in "Windows event parser". These rules are global - it's currently not possible to filter by specific nodes/containers, rules work equally for all arriving events. If something matched, event is generated.


Name in Windows parser - just the same code was reused as from policy in template and forgot to hide this field. Name does not affect anything.

Parameters in created events were (or should have been) fixed in some specific netxms version. What exactly version are you using?

Thanks for your reply. Now I understand the different approaches. If you prepend the file path with * the "Event ID" becomes a field that is writable. Missed that before. It seems like you can do more flexible things with the traditional Log Parser.

I use the current 3.9.156, but 3.8.something before didn't have the parameters set as well. Maybe if I use the Log Parser instead of the Windows Event Parser?

Edit: Yes, indeed. It works if I use the Log Parser out of the Policies. But I guess that's better anyway.