Windows Event Log Monitoring Configuration

Started by tfines, April 16, 2020, 03:32:36 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

tfines

April 16, 2020, 03:32:36 AM Last Edit: April 17, 2020, 06:46:49 AM by tfines
Windows Event Log config on client seems OK, but how to configure it on the server?

On a NetXMS Agent I have:
In nxagentd.conf:
SubAgent = logwatch.nsm

In nxagentd.conf.d\custom.conf I have:
[LOGWATCH]
Parser = C:\NetXMS\etc\parser1.xml

In c:\netxms\etc\parser1.xml I have:
<parser>
   <name>parser1</name>
   <!-- *SYSTEM means Windows System Event Log -->
   <file>*SYSTEM</file>
   <!-- more <file> tags can follow -->
   <rules>
      <rule>
         <match>(.*)</match>
         <id>7</id>
         <level>3</level>
         <!-- use this for testing, then comment out and uncomment 'disk' below for production -->
         <source>blueberries</source>
         <!--
         <source>disk</source>
         -->
         <event>SYS_NODE_CRITICAL</event>
      </rule>
   <!-- more <rule> tags can follow -->
   </rules>
</parser>

Then I generate an event from the command prompt with:
eventcreate /t error /id 7 /l System /d "Test-Ignore" /SO "blueberries"

When I do this, in the nxagentd log I get:
2020.04.16 11:03:13.673 *D* [                   ] PostEvent(): event_code=0, event_name=SYS_NODE_CRITICAL, timestamp=1586995393, num_args=7, arg[0]="Test-Ignore", arg[1]="blueberries", arg[2]="7", arg[3]="1", arg[4]="266817", arg[5]="1", arg[6]="Test-Ignore"


And on the NetXMS server, I get no indication in the GUI that anything happened.  In the server log, I do see:
2020.04.17 15:29:47.966 *D* [agent.conn.4       ] Received message CMD_TRAP (0) from agent at 192.168.16.111
2020.04.17 15:29:47.966 *D* [agent.conn.4       ] AgentConnectionEx::onTrap(): Received trap message from agent at 192.168.16.111, node ID 187
2020.04.17 15:29:47.966 *D* [agent.conn.4       ] AgentConnectionEx::onTrap(): trapID is valid
2020.04.17 15:29:47.966 *D* [agent.conn.4       ] Event from trap: 10
2020.04.17 15:29:47.966 *D* [event.corr         ] CorrelateEvent: event SYS_NODE_CRITICAL id 56588 source gordon.odcvu.local [187]
2020.04.17 15:29:47.966 *D* [event.corr         ] CorrelateEvent: finished, rootId=0
2020.04.17 15:29:47.966 *D* [event.proc         ] EVENT SYS_NODE_CRITICAL [10] (ID:56588 F:0x0001 S:4 TAGS:"NodeStatus") FROM gordon.odcvu.local: Node status changed to CRITICAL


I think I have the client configured correctly.  And the server is receiving the CMD_TRAP.  What do I need to do on the server to have it register these and show alarms, and have the node actually get changed to 'CRITICAL'?

Thanks in advance!

Marco Incalcaterra

#1
April 17, 2020, 08:17:33 PM
You probably miss the server configuration part:

Go to "Configuration > Event Processing Policy" and add the behavior you would like to have. To send an e-mail for example you have also to add specific action from "Configuration > Actions Configuration"

I suggest also to go to "Configuration > Event Configuration" and add your custom event to be posted by the log monitoring agent (adjust the EPP accordingly to respond to this event).

Hope it helps.

Regards,
Marco

tfines

#2
May 19, 2020, 08:28:14 AM
Thank you, that was it.

The client and server were working correctly. I *thought* I'd configured an Event Configuration item, but I hadn't.  Thank you.
Print
Go Up Pages1
User actions