Trying to get a logwatch on a custom Eventlog (Server 2003) and no matter what I try I can't seem to get it to work. I'm sure I'm missing something obvious.
MasterServers = 10.32.3.49
LogFile = {syslog}
FileStore = C:\NetXMS\var
SubAgent = ecs.nsm
SubAgent = ping.nsm
SubAgent = portcheck.nsm
SubAgent = winperf.nsm
SubAgent = wmi.nsm
SubAgent = logwatch.nsm
*LOGWATCH
Parser = C:\NetXMS\tvdevicefail.xml
............................
<parser>
<file>C:\WINDOWS\System32\config\TVEvent.evt</file>
<rules>
<rule>
<match>*</match>
<id>137</id>
<level>2</level>
<source>Televantage</source>
<event>100065</event>
</rule>
<rule>
<match>*</match>
<id>106</id>
<level>4</level>
<source>Televantage</source>
event>100066</event>
</rule>
</rules>
</parser>
I can generate automatically the 2nd event, but no matter what I try, I don't seem to receive it in NetXMS. Am I missing something very obvious, does it have to set up a DCI? If so, what on earth would the parameters be?
Thanks once agian guys and keep up the good work.
Hi!
If you give file name in <file> tag, logwatch subagent will threat it as regular text file, which I suppose is not the case. If you need to openWindows event log, you must prepend it's name with asterisk, like <file>*System</file>. And you have missing opening angle bracket in second rule, maybe just a copy/paste error.
Best regards,
Victor
Also, I suppose that you have to use custom event log name, not a full path to actual .evt file. If I understand correctly, all available logs are listed in registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog. But I never works with custom Windows event logs, so I may be wrong.
Best regards,
Victor