Kaseya Community

Choosing even log type for predefined sets

  • I'm working on setting up event log monitoring with some predefined sets, and there's an aspect that doesn't seem clear at all. I've looked, and don't see a mention of it anywhere.

    When you apply an event log set -- predefined or self-created -- you have a choice as to what log type to assign it as. There doesn't seem to be any connection between log type and event set; all sets are available regardless of which log type you choose, and choosing a set doesn't seem to have any effect on the log type setting.

    So far as I can see, the choice of log type only seems to affect which log the data is collected from. I'm not sure if it affects which log the set scans. The sets don't seem to be specific to log type, either: the source filter _may_ specifiy the log type, but in some cases (see ZC-SQL-E1 SQL Server Evevnts -- yes, that's how it's spelled) you're left guessing which log type it applies to -- if it matters, I'm not sure.

    Could someone clear this up for me? How should you choose the log type when applying an event set?

    /kenw

    Legacy Forum Name: Choosing even log type for predefined sets,
    Legacy Posted By Username: Ken Wallewein
  • Ken,

    Let me try to explain a little more...

    On the Agent tab, Event Log settings screen, you specific which Event logs you want to capture for your machine(s).

    As you pointed on, when you create Event Sets, you specify things like Source, Category, Event ID, Description, etc. But you do NOT specify which event log type (Applicaion, System, Security, etc.).

    When you actually apply the Event Set to a machine, you specify which event log type (Applicaion, System, Security, etc.) you want to monitor, along with the status of the event (Error, Warning, Information, etc.) along with the frequence information (Alert when this event occurs once, Alert when this event occurs X times in Y minutes/hours, etc.), along with the desired action (Create Alarm, Create Ticket, Run Script, Email Recipients)

    Add it all together, and this represnets your event log monitoring.

    It is up to us to make sure that we don't create Event Sets containing events that are always logged to the Application Log, and accidentally assign it to a machine to monitor the System Log - which would result in no events actions being triggered.

    Hope this helps some !

    Lloyd

    Legacy Forum Name: How-To,
    Legacy Posted By Username: lwolf
  • Thanks for your help, Lloyd.

    I think I understand this, or at least most of it. The principle is pretty clear. The implementation is less so. Here's where I have a problem:

    - the event sets themselves are not always clearly identified as to which event log type they are intended for.
    - log monitoring -- or, at least, event log data collection -- is actually set on the Agent screen
    - when I apply an event set to a machine, I can choose an event log type at the top of the Monitor -> Alerts screen in the "Select Alert Function" screen, and it shows up in the Alert list in the Log Type column. But there's no clear indication anywhere I can find as to the purpose or impact of that setting.

    a) Are you saying that the Monitor -> Alerts screen applies a given Event Set only to the event log chosen in the Select Alert Function line and shown in the Log Type column? Are you sure about that? Where is it documented?

    b) How do we determine which event log type a given predefined event set is designed for (consider the example I gave previously)? And what's to keep a given set from monitoring multiple log types?

    How am I doing so far on the process and impact? Any idea on those other mysteries?

    /kenw

    Legacy Forum Name: How-To,
    Legacy Posted By Username: Ken Wallewein
  • Ken Wallewein
    a) Are you saying that the Monitor -> Alerts screen applies a given Event Set only to the event log chosen in the Select Alert Function line and shown in the Log Type column? Are you sure about that? Where is it documented?

    Yes, that is my understanding and experience.


    b) How do we determine which event log type a given predefined event set is designed for (consider the example I gave previously)? And what's to keep a given set from monitoring multiple log types?

    Other than general computing hands-on experience, there is no magical way to determine which event log type a given predefined event set is designed for.

    Lloyd

    Legacy Forum Name: How-To,
    Legacy Posted By Username: lwolf
  • Ooookay, so we have two separate instances where important information is not documented.

    a) the function of selecting an event log type when applying an event set.
    b) the intended event log type for each predefined event sets -- all of them should be documented.

    Better yet, since a given event set can only be applied to one event log type at a time (unless you deliberately apply the same set multiple times), it should be possible to predefine the log type it is intended for, and have that log chosed automatically when it is applied.

    Lloyd, thanks very much for clearing that up.

    /kenw

    Legacy Forum Name: How-To,
    Legacy Posted By Username: Ken Wallewein
  • They may be in the documentation somewhere. I didn't search. I was just giving answers off the top of my head, based on experience.

    Legacy Forum Name: How-To,
    Legacy Posted By Username: lwolf
  • I _did_ search. Guess I shoulda looked in the top of your head, eh? ;->

    Again, thanks for your help!

    /kenw

    Legacy Forum Name: How-To,
    Legacy Posted By Username: Ken Wallewein
  • Capture1.JPG
    I don't seem to be getting alerts I should.

    I just checked a system on which I have configured event monitoring for errors, warnings and critical events for both system and application event logs and filtering set to "All Events". I appear to be getting zero alerts for it over the last week or two, even though, if I check the system directly, there are a number of events of each type being logged.

    I've checked my settings carefully, I don't see anything wrong. See screen shots attached.

    And I don't see any way to check Kaseya event log history or collection logs, either. Is there any way to do that?

    So far as I can see, it should work, it doesn't, everything looks set correctly, and I have no useful diagnostic data. Help!

    /kenw

    Legacy Forum Name: How-To,
    Legacy Posted By Username: Ken Wallewein
  • Capture 2.JPG
    Attachment refers to previous post.

    Legacy Forum Name: Is it broken?,
    Legacy Posted By Username: Ken Wallewein
  • Ken Wallewein
    I don't seem to be getting alerts I should.

    I just checked a system on which I have configured event monitoring for errors, warnings and critical events for both system and application event logs and filtering set to "All Events". I appear to be getting zero alerts for it over the last week or two, even though, if I check the system directly, there are a number of events of each type being logged.

    I've checked my settings carefully, I don't see anything wrong. See screen shots attached.

    And I don't see any way to check Kaseya event log history or collection logs, either. Is there any way to do that?

    So far as I can see, it should work, it doesn't, everything looks set correctly, and I have no useful diagnostic data. Help!

    /kenw


    I believe the 'All Events' means all the events you have in your event set list so we would need to see what event sets you have. If you truly wanted all events, then I believe you would need to create a new event set. Just create a new event set and then put * in all the boxes.

    Legacy Forum Name: How-To,
    Legacy Posted By Username: GDRBrian
  • GDRBrian
    I believe the 'All Events' means all the events you have in your event set list so we would need to see what event sets you have. If you truly wanted all events, then I believe you would need to create a new event set. Just create a new event set and then put * in all the boxes.


    This doesn't make sense to me.

    For starters, "All Events" IS an event set (albeit a short one) -- it can't refer to another one.

    Secondly, it doesn't appear possible to create a wildcard filter for Event ID -- it needs a specific number and won't accept "*" or blank.

    Third, there is this text in the on-line help:
    2.Check the Error checkbox and select from the event set list. Click the Apply button to assign this setting to all selected machine IDs. This tells the system to generate an alert for every error event type. Note the assigned log type.

    which seems to pretty clearly state that "All Events" filters nothing.

    FWIW, on this particular system, I have three event sets applied: Application and System using All Events, and Security with custom set. None use any exclusions at all.

    /kenw

    Legacy Forum Name: How-To,
    Legacy Posted By Username: Ken Wallewein
  • dellopenevent.jpg
    Ken Wallewein
    This doesn't make sense to me.

    For starters, "All Events" IS an event set (albeit a short one) -- it can't refer to another one.

    Secondly, it doesn't appear possible to create a wildcard filter for Event ID -- it needs a specific number and won't accept "*" or blank.

    Third, there is this text in the on-line help:

    which seems to pretty clearly state that "All Events" filters nothing.

    FWIW, on this particular system, I have three event sets applied: Application and System using All Events, and Security with custom set. None use any exclusions at all.

    /kenw


    I could be very wrong about the "" list. It might actually mean, all events. But my assumption would be 'All Events' that you have in that dropdown menu there. So if you do not have an event set setup for what you are looking for, then you wont get alerted for that event.

    Here would be an example of an event set that would give me all events with the source as 'System Administrator' (see attached).

    So if I chose '' then I would get alerts for this event set as well as any other event sets I have created (all the event sets listed in the dropdown menu below the text 'Define events to match or ignore).

    And you are correct, you cannot create an event log with * in all the fields. Atleast I wasn't able to.

    Legacy Forum Name: How-To,
    Legacy Posted By Username: GDRBrian
  • GDRBrian
    And you are correct, you cannot create an event log with * in all the fields. Atleast I wasn't able to.


    But -- your example attchment shows what is apparently the exact equivalent: "All IDs" in the Event ID column, the only column that won't accept a "*" for a wildcard. How the heck did you DO that?

    I have not been able to find any way to enter a wildcard value or equivalent in that column, and it doesn't appear to be documented anywhere.

    Kaseys's documentation is pretty good, but holes like this are maddening.

    /kenw

    Legacy Forum Name: How-To,
    Legacy Posted By Username: Ken Wallewein
  • Not sure. As long as there is a source I am able to put a * in the event id column and then when I click add it fills in 'All IDs'.

    I can't put * in all the columns though. There has to be a source.

    Legacy Forum Name: How-To,
    Legacy Posted By Username: GDRBrian
  • GDRBrian
    Not sure. As long as there is a source I am able to put a * in the event id column and then when I click add it fills in 'All IDs'.

    I can't put * in all the columns though. There has to be a source.

    You're right: so long as it's not wildcard in all columns, it works.

    It drives me nuts when a crappy user interface silently rejects your entries, doesn't even say why, and there's no documentation to figure it out with. Wasn't there a Dilbert cartoon about something like this? I guess we should be glad it doesn't require a reboot after every typo.

    In the mean time, the system lets you select and use "All Events", but there's no way to tell what it is for. Blah.

    /kenw

    Legacy Forum Name: How-To,
    Legacy Posted By Username: Ken Wallewein