Kaseya Community

Monitoring reboots in event log, yet info events cause overflow

  • We want to monitor events in the system log, such as when a system reboots. These are purely informational alerts, and if we try to capture info events, lots of times, we go over the limit of logging and it gets shut down.

    I saw where there were scripts to reenable logging. Is this the only way? Would be great if we could somehow capture ONLY the info events we wanted.

    Legacy Forum Name: Monitoring reboots in event log, yet info events cause overflow,
    Legacy Posted By Username: DiPersiaTech
  • You have to create a event set to just look for certain events and not everything.

    You add this in with your other event sets.

    Its kind of hard to explain.

    Hope this helps.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: jasonb
  • jasonb
    You have to create a event set to just look for certain events and not everything.

    You add this in with your other event sets.

    Its kind of hard to explain.

    Hope this helps.


    That's not how event sets works.

    Event sets just "triggers" when there's an event that matches the set. In order to have an event set trigger any action based on Informational Events, the agent have to be configured to log all informational events, hence your event logs will quickly fill, and you risk running into overflow issues.

    If there is a script available to re-enable the logging after an overflow, I would very much like to see that myself.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: Lmhansen
  • Lmhansen hit the nail on the head. I can setup an event set to watch for what I want, but that also means turning on and ensuring the info events are logging, which usually results in an overflow.

    I've seen people talk about scripts elsewhere to restart the logging if it overflows. I'll see if I can find them again.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: DiPersiaTech
  • Lmhansen
    That's not how event sets works.

    Event sets just "triggers" when there's an event that matches the set. In order to have an event set trigger any action based on Informational Events, the agent have to be configured to log all informational events, hence your event logs will quickly fill, and you risk running into overflow issues.

    If there is a script available to re-enable the logging after an overflow, I would very much like to see that myself.


    Sorry to burst your bubble but this is how I have been running for well over a year and I do not have any problems.

    The parts that are highlighted are the ones were I'm putting in just want I want to look for.

    I have ever server I monitor setup like this and I"m not flooded with unwanted information events.

    Picture worth 1000 works:



    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: jasonb
  • Jason - what we're saying is, you need to make sure that informational logging is turned on on the agent. Too often, info events flood the log and it gets turned off - you'll see a red letter (In your picture) when this happens. I was just hoping for a way around this issue where we can just "watch" info events, but not log them and still setup event sets.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: DiPersiaTech
  • Hiya,

    you could create a (Vb / C) script that runs on the server / if it finds the info event ID you are looking for get it to create a made up Error log entry. Then set your event sets to look for that error log entry. That way you don't need to monitor info events from kaseya at all. VBSEdit has some great samples for doing this type of thing. You could create a script and then just schedule it using windows scheduler task to run every 1hour. You could write a script with Kaseya to set that all up for you.

    Michael

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: mmartin
  • DiPersiaTech
    Jason - what we're saying is, you need to make sure that informational logging is turned on on the agent. Too often, info events flood the log and it gets turned off - you'll see a red letter (In your picture) when this happens. I was just hoping for a way around this issue where we can just "watch" info events, but not log them and still setup event sets.


    I agree with DiPersiaTech and the original poster. Regardelss of what you Ignore or Include, you CANNOT alert on an E/W/I event UNLESS you configure Agent > Event Log Settings to capture those events from the monitored machine, in which case ALL E/W/I event are uploaded to the Kserver DB. To confirm this, simply go to Agent > Agent Logs > [machine.ID] > Select Log=Event Logs > Logname =System|application. You will see that ALL E/W/I events you have chosen in Agent > Event Log Settings are uploaded to the Kaseya DB. So, overload is an issue.

    Micheal poses a great idea. The only "better" idea would be to have the Kaseya agent NOT upload "undesired" events, but thats up to Kaseya developers.

    I am very interested in Evt Log monitoring and find it difficult to create include sets when there are so many possibilites for events to monitor. I am posting to this thread to trigger anyone who might be subscribed, but this is an imortant issue and Micheal has a good idea.

    Has anyone else made progress in this area or tried Micheals approach?

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: mfrederick@symquest.com
  • Since some of the restrictions have been lifted on what causes the monitoring to stop on event logging, some of this problem has gone away.

    On error and warning events on servers, to start, we monitored everything, and then have one big exclusion list we add to for events we don't care about.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: DiPersiaTech
  • Even with the recent improvements, Kaseya should build in the basic capability to allow us to control what events are logged into Kaseya, not merely what event "types" (i.e. failure, warning, information).

    I think almost all of us could use a few alerts based on information events. yet most of us cannot enable that logging without really swamping our Kservers. Even if Kaseya has fixed some of the issues from the past that caused logging to simply stop based on overflow, it doesn't address the basic issue that we don't necessarily want to clog our Kserver with tons of information events. Some of our customers' servers receive thousands of information events every day because they want to track many events. But we only want to see a small subset of those events.

    When Kaseya added the log parser capabilities, did they add anything that would allow this function to happen for standard windows event logs?

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: kentschu
  • DiPersiaTech
    We want to monitor events in the system log, such as when a system reboots. These are purely informational alerts, and if we try to capture info events, lots of times, we go over the limit of logging and it gets shut down.


    I don't collect informational events, but I have experienced this collecting error events on some of our older servers.

    Do you have Kaseya SP1? SP1 was supposed to address this issue. Since I have upgraded my K server and the agents, I have no longer had this problem.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: pbrophy
  • I guess I missed a couple of parts here ...

    My "bubble" hasn't been burst. In order to have event sets trigger on Informational events, you need to select "Informational Events" under Agent -> Machine Status -> Event log Settings to capture informational events for whichever type you need (Application, System, whatever). This causes the Kaseya agent to send ALL the selected events to the server. The Event Sets are just "filters" that causes something to trigger when the condition is true.

    Click on the icon to the left of any computer which is collecting informational events of any type, go to "Agent Logs", pick "event logs and you can see that it is logging a lot more than what is defined in the event set ... Even things that are explicitly ignored in the event sets are logged...

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: Lmhansen