Kaseya Community

Why can't I get a Windows event log monitor to work? Trying to catch a 6009 (server reboot) on machine hosting KNM...

This question is not answered

Feeling a little frustrated here.  I've read other posts, and followed the general help related to setting up a monitor for Windows event logs.  I created an 'Eventlog' monitor for the object that is KNM's host (localhost), and set it to only report 6009 (well, I've added 6008, 6005, 1074 at times).  Action list is 'Continuous list', which sends me an email (this is verified in testing, and I get plenty of other emails for other events).  But I've had a couple of real-life server shutdown/restart cycles (remotely kicked off by other admins for patching, etc.) and have never gotten an alarm from KNM before or after the fact.

Any guidance here would be MUCH appreciated... this seems like it should be simple.

 

Thanks,

 

Dave

All Replies
  • I imagine it can't do retrospective event log monitoring where as the normal agent can.

    People seemed to have become over excited with KNM and assume you'd want to rip the agents out.

    Pretty much use KNM to monitor things you can't install an agent on do not use it to monitor servers, if you want indepth reliable monitoring

  • Hi Dave,

    Let's say for example that you have 100 entries so when you setup the Eventlog monitor, it will find 100 entries. It will not parse any of those 100 entries though, it will start with 101, after the monitor was setup. If your filter specifies the 6009 Event ID, any occurance of that ID from 101 will fail the test and put the monitor in an alarm state. If you test this manually, that you generate the 6009 event while the monitor is running, you don't see the monitor going into an alarm state?

    Regards,



    [edited by: Tomas Andersson at 12:57 AM (GMT -7) on 28 Aug 2012] .
  • Michael,

    I first encountered KNM when it was Intellipool's product, and was promoted by Sensatronics as a solution for monitoring their environmental monitors.  I was impressed by its relative ease-of-use and flexibility in logging and alerting.  It quickly and effectively allowed me to solve an environmental monitoring requirement.

    More recently, I've revisited it and had good success in automating a couple of other reporting tasks, having it execute a stored procedure in SQL server and send charts, etc via email.  Since upgrading my license (now as KNM), I'm trying to make even more use of it.

    So to hear that someone else considers it a limited product not up to this task (if I take your meaning correctly) is disconcerting to me.

    But thanks for replying, you were the first.

    Dave

  • David,

    KNM is a very competent network monitoring product that have a very wide range of features, eventlog monitoring is one of them. KNM is also under very active development and will soon hit version 5, which is a major new update.

    About eventlog monitoring, Eventlog monitoring is incremental and looks for new events since last test, this is a design decisions and fits proactive monitoring very well.

    If an event log monitor didnt fire when it should I recommend you starting a ticket with our support so we can take a look at it.

  • Tomas,

    Thanks for replying.  I follow your logic about where a newly-defined monitor starts indexing Eventlog entries.

    I have another monitor defined - I think it's one of the 'stock' entries - which triggers on any Error event in the System log.  This one DOES trigger correctly.  But the other defined monitor, which is set up alost identically, except event type is 'All' and Event ID contains '6009', has not triggered.

    Not sure how I can manually generate a 6009 event into the system log, and I certainly can't shut the server down arbitrarily to test it.  I think I have some example code somewhere that uses .NET to create events, though it'll take a bit of fiddling to build that into something I can run on the server.

    I'll also try adding my own PC into the list of objects and define this monitor against that, and see if shutting down my PC generates a response.  But of course, the goal is to monitor the server which also happens to be hosting KNM.

    Best regards,

    Dave

  • Dave,

    KNM's eventlog monitor is just considering events logged since the previous test, in addition to this, the first test performed after start up, is just performed to establish a marker of where to start the next test.

    So trying to trigger on events thats logged because of a shutdown will not work on the same machine where KNM is installed, any other machine will work.

  • RA,

    I feared something like this might be true.  In other words, the 6009 event is generated when the operator begins the shutdown request, but before the next monitor test rolls around to see it, the KNM service has been shut down.  And when KNM restarts, it doesn't look back to the old index value ("marker"), it starts a new one.  Is this a good understanding?

    So, can I at least have KNM generate an event whenever it starts?  That would alert me to a (probable) system restart after the fact.

    Thanks,

    Dave

  • > Is this a good understanding?

    Yes.

    >So, can I at least have KNM generate an event whenever it starts?  

    Right now we do not have this feature but its a great idea, I see why its important. I'll see if we can squeeze it in v5. As a work around Powershell could be used to send an e-mail when the server startup :

    Plenty of scripts for that on the net:

    social.technet.microsoft.com/.../48fad661-302a-47a1-8e33-62541da0ca44

  • As an alternative, could KNM write its index/indices for the eventlogs to persistent storage at the time it is shutting down, and restore from those on startup?  That way it could examine events logged even when it is not running.  Just a thought, not sure if that's feasible.

    Dave

  • thanks RA for backing up my point or at least the point i was trying to make it can't monitor things before it starts

    If you had an agent on the box you'd get an alert though

    Dave,

    KNM's eventlog monitor is just considering events logged since the previous test, in addition to this, the first test performed after start up, is just performed to establish a marker of where to start the next test.

    So trying to trigger on events thats logged because of a shutdown will not work on the same machine where KNM is installed, any other machine will work.



    [edited by: Michael Dixon (enfusion) at 1:24 PM (GMT -7) on 28 Aug 2012] .
  • Dave,

    KNM is doing this for (potentially) thousands of machines , so there are performance considerations for every new feature that has to be multiplied with the worst case scenario. Storing the position for one monitor is not a problem, its when its 30.000 monitors that tests once a minute it starts to be an issue but we will look into it.



    [edited by: RA at 12:03 AM (GMT -7) on 29 Aug 2012] better text
  • By the way RA i assume if say a laptop that has been running and has performance or event log issues while the collector can't access it cos say maybe it was taken home when it comes back to the office you wont get these historical errors ?

    It's my understanding with KNM is that monitoring and alerting will only take place while the collector can see it and therefore monitor it so if network connection is lost alerting AND motoring stops  

  • Michael,

    KNM is agent less which means that it operates in local area networks where it has a gateway installed and monitors using the protocols provided by the monitored host, if you remove a computer from such network it cant be monitored and you will get a notification asap that the computer have disappeared from the network.

    If you do need to bring home a computer and need to monitor it I recommend that you install a local KNM gateway on that computer, then it will work just like an agent, and report back where ever you move it.

    /RA