NetXMS Support Forum

Hi!
I have 3 questions.
I have a parser file hereunder:

Quote<parser>
  <file>*Application</file>
  <rules>
    <rule>
      <match>(.*)</match>
      <id>5</id>
    </rule>
    <rule>
      <match>(.*)</match>
      <id>1006</id>
    </rule>
    <rule>
      <match>(.*)</match>
      <id>1008</id>
    </rule>
    <rule>
      <match>(.*)</match>
      <id>1023</id>
    </rule>
    <rule>
      <match>(.*)</match>
      <id>1057</id>
    </rule>
    <rule>
      <match>(.*)</match>
      <id>12014</id>
    </rule>
    <rule>
      <match>(.*)</match>
      <level>1</level>
      <event params="1">100003</event>
    </rule>
  </rules>
</parser>

1:
Is there a simpler method to exclude events with predefined event id? (e.g.: 5,1006,1008,...)

2:
I manage Windows 7, Windows Server 2008 and Windows Server 2012, and i see that the severity levels are the following:
Critical =1
Error=2
Warning =3
Information=4

The above example captures only Windows error level events. How to set the <level> parameter to capture Windows critical events? (And, of course, how to combine the values?)

3:
With the above parser, the agent always misses the event with event id 1. What could be the reason?

Quote from: farcsa on October 28, 2014, 06:38:30 PM
1:
Is there a simpler method to exclude events with predefined event id? (e.g.: 5,1006,1008,...)

not really - you can specify ID range in one rule, like <id>1001-1099</id>, but that will not help if you have non-adjacent IDs to ignore.

Quote from: farcsa on October 28, 2014, 06:38:30 PM
2:
I manage Windows 7, Windows Server 2008 and Windows Server 2012, and i see that the severity levels are the following:
Critical =1
Error=2
Warning =3
Information=4

The above example captures only Windows error level events. How to set the <level> parameter to capture Windows critical events? (And, of course, how to combine the values?)

combining codes described here: https://www.netxms.org/documentation/adminguide/log-monitoring.html#level-tag

Quote from: farcsa on October 28, 2014, 06:38:30 PM
3:
With the above parser, the agent always misses the event with event id 1. What could be the reason?

In the parser I don't see specific rule for DI 1, so it can only be caught by last rule by severity. Are you sure that severity for this event is "Error"?

Best regards,
Victor

In the documentation there are these "levels":
1    Error
2    Warning
4    Information
8    Audit Success
16    Audit Failure
These levels are in Windows XP.

But there isn't Critical, like in Windows 7 and above versions. As I wrote, in Windows 7 (and above) the levels are:
1 Critical
2 Error
3 Warning
4 Information

So, how to combine the NetXMS levels for capturing Windows Critical level events?

To help clarify my problem, I insert the link of TechNet documentation about Windows Event Properties:
http://technet.microsoft.com/en-us/library/cc765981.aspx

Thanks for your answers!

Excuse me, but my above problem is outstanding. Could anybody help me to resolve this?

Hi,

unfortunately you problem cannot be solved by configuration. We will need to make changes in log monitoring subagent, so you'll have to wait for release with a fix.

Best regards,
Victor

For which version of NetXMS is this scheduled now? (capturing Windows Critical level events) Or should I register a feature request?

Hi,

would be nice if you registered it as feature request - then it will not be forgotten again I will schedule it for next release.

Best regards,
Victor

Hi,

I've added additional level mask 256 to match critical events.

Best regards,
Victor