Kaseya Community

has anybody used / setup the global event log blacks lists - EvLogBlkListEx.xml

  • Hi folks,

    I want to look at setting this up to try to prevent stuff we don't want coming up to kaseya - I am not fully understanding this feature due this phrase "Alarm detection and processing operates regardless of whether entries are on the collection blacklist."

    What I thought this file did was if I added entries to it that kaseya would ignore them at the client side and not send them up to kaseya yet according to that sentence this is not the case.

    Also the file is XML and empty so I checked the other file but I am not sure how to format the events.

    Has anybody set this up successfully and could provide a sample.

    Cheers

    Michael

  • As I understand it:

    If you put something on the blocklist it will not be collected by the Kaseya Server, so it will not show up in the machines applicable log. You may still have to add the event to an alarm "ignore" event set. Events can still be alarmed on even if they are on the blocklist.

    There should be a evLogBlkList.xml file that you can view for an example.

    You make your additions to evLogBlkListEx.xml that you edit.

    I would post mine, but for some strange reason it won't open correctly, but the event ids within are still being blocked. Once I get it resolved I will post it for you.

  • Guys, dont know if this is still an issue for you or not but you can look into the following for the file your talking about.

    %your installed Drive%\Kaseya\WebPages\ManagedFiles\VSAHiddenFiles\evLogBlkListEx.xml

    Righgt click and click Edit/Open and choose notepad to edit this document. The formatting is very SPECIFIC down to being case sensitive. Below is what the contents of my file looks like. The source and event ID are required (i believe). Here is the KASEYA KB article that goes a little bit more in detail about what formatting is necessary and possible. I have only tested/used and know what I have below works. But according to the link you could potentially block stuff using other filters (description, etc..).

    http://portalgc.knowledgebase.net/article.aspx?article=296645&p=11855

     ***NO NEED FOR A SPACE INBETWEEN EACH LINE*** This post has had these lines inserted for unknown reasons when pasting???

    <?xml version="1.0" encoding="ISO-8859-1" ?>

    <EventLogBlackList version="1.0">

    <EventLog Name="Application" ID="796450521">

    <Def Information="1" Source="%DevMgmtConnector%" EventID="41206" />

    <Def Information="1" Source="%DevMgmtConnector%" EventID="41207" />

    <Def Information="1" Source="%HM Process Import Linking%" EventID="0" />

    <Def Information="1" Source="%HM Process Auto Import%" EventID="0" />

    <Def Information="1" Source="%ESE%" EventID="300" />

    <Def Information="1" Source="%ESE%" EventID="301" />

    <Def Information="1" Source="%ESE%" EventID="302" />

    <Def Information="1" Source="%ESE%" EventID="100" />

    <Def Information="1" Source="%MSSQLSERVER%" EventID="17137" />

    <Def Information="1" Source="%MSSQLSERVER%" EventID="2803" />

    <Def Information="1" Source="%DB/MEDMAN_PROGRESS%" EventID="452" />

    <Def Information="1" Source="%DB/MEDMAN_PROGRESS%" EventID="453" />

    <Def Information="1" Source="%DB/MEDMAN_PROGRESS%" EventID="708" />

    <Def Information="1" Source="%DB/MEDMAN_PROGRESS%" EventID="12699" />

    </EventLog>

    <EventLog Name="System" ID="1380569194">

    <Def Information="1" Source="%Service Control Center%" Description="HealthMatics Process Import Events" />

    </EventLog>

    </EventLogBlackList>



    [edited by: grantb at 5:27 AM (GMT -8) on 12-15-2010] - link was jacked up to kb article
  • Thanks grant yeah still on the list so we will definitely look at athis.

    CAn I ask do you know if I add stuff to this list does that mean kaseya does not send this up to the server at all - there is a line in the help that i was confused about where it said something about "but would still alarm on these events" or something like that.

  • Whatever you put in the block list will not be collected and sent to the server HOWEVER you can still alarm on the non-collected events as the Alarming process occurs on the agent side before the events are collected and sent. I found that some alarms did not stop until after I added them to a "Ignore" event set.

  • you would think then you would have to option just to alarm and not bother collecting them, the only reason we collect is so we can alarm we don't use eventlogs for anything else in kaseya particularly since LC allows you to see the local event logs.

    thanks for the feedback though I will move our globalblocklist event set into this file to try to reduce the number we are collecting.

  • Hi just to open this again

    When I edit this file do I have to do anything to get kaseya to update the file locally on the machine or do I have to write a script to push this file down?

    Or does kaseya just update on next checkin?

    cheers