Kaseya Community

How to properly collect all but specific Event Log events?

This question is answered

I currently collect all Application and System events of type "Error" or "Critical" and get an email for each and every one. This was fine for a while, but now that we've gone from 40 machines to 2000 machines, I want a way to ignore all the known, safely-ignorable events. I have read the Help documentation up and down, have tested the "evLogBlkListEx.xml" method, and have read a few posts here but I can't find anything comprehensive enough to reference. 

Basically, I need a blacklist methodology rather than a whitelist philosophy when it comes to events. We have a lot of unique 3rd-party software that generates generic events as "Critical", so I get a couple thousand emails a day that are irrelevant, but I can't figure out how to ignore them. The "evtLogBlkListEx.xml" file either doesn't work, or I'm formatting it incorrectly. However, I'd never know if I was indeed formatting it incorrectly since there is no documentation that I can find anywhere on how to properly format that file.

Does anyone know of a typed resource for how to accomplish this? I'm really look for a good, comprehensive tutorial.

Thanks,
Matt 

Verified Answer
  • Matt,

    From Monitor -> Event Log Alerts you need to create your own ignore event sets.

    Name it however you wish and click new.  From here you just start adding the specifics of the events you wish to ignore, checking the box at the beginning of each entry to have Kaseya ignore this line item.

    Once events are added, just apply this event set to your systems/policy as you would any other event set.  These events will now be ignored.  You can be specific as you want or use wildcards to exclude broad items.

    I had created an exclusion event set for both the application and system log.  As new things came in that we determined were "noise" I just added it to the appropriate set.

    Hope that helps.

    -Shannon

All Replies
  • Matt,

    From Monitor -> Event Log Alerts you need to create your own ignore event sets.

    Name it however you wish and click new.  From here you just start adding the specifics of the events you wish to ignore, checking the box at the beginning of each entry to have Kaseya ignore this line item.

    Once events are added, just apply this event set to your systems/policy as you would any other event set.  These events will now be ignored.  You can be specific as you want or use wildcards to exclude broad items.

    I had created an exclusion event set for both the application and system log.  As new things came in that we determined were "noise" I just added it to the appropriate set.

    Hope that helps.

    -Shannon

  • Thanks, this is how I (believe) I have it set up now and it is not working. However, knowing that this is indeed the proper method, I will delete everything I have and start over. I must've selected an incorrect box somewhere along the line. I appreciate the fast response!

    Thanks,

    Matt

  • Keep in mind, an event matching an ignore rule in any set will override all of your other sets for the type (Application, Security, System, etc.). For this reason, I recommend having one master Ignored event set for ease of management.

  • Is there any chance of a Tech Jam or something similar for using evtLogBlkListEx.xml?  I would like to use it because certain Windows Firewall events on Windows 7 machines are making my database gigantic, but I haven't found a real good resource/tutorial on using it.

    Thanks.

  • After doing a count of how many alerts we're getting through on a daily basis I would like some more info on how to correctly format this file.  It will save my databases like you cannot believe.

    Thanks for pointing this out eperson.

  • I just wanted to post an update to this.  I worked with Kaseya support to properly configure evtLogBlkListEx.xml about a month ago to exclude the Windows Firewall events that I was seeing being collected a lot.  A month later, my database had gone from 62 GB to 35 GB and it is still shrinking as old logs are aged out.  I am blown away by how much space it has saved!

  • I'm still indebted to you eperson.  My databases were growing at an horrific rate and I was querying this but getting nowhere.  Then stumbled across your post and with the help of Andrei in the Kaseya support team worked out the syntax of the xml file and instead of collecting 2 million event log items a day we're down to half that.  Still not good but way better than it was.

  • Alistair Curran

    I'm still indebted to you eperson.  My databases were growing at an horrific rate and I was querying this but getting nowhere.  Then stumbled across your post and with the help of Andrei in the Kaseya support team worked out the syntax of the xml file and instead of collecting 2 million event log items a day we're down to half that.  Still not good but way better than it was.

    Alistair, we are fighting the same issue and wondered if perhaps you could share the appropriate evtLogBlkListEx.xml syntax or maybe post an example evtLogBlkListEx.xml?  Also has anyone confirmed that the Ignore event set method works or not?

  • evLogBlkListEx.txt

    Hi Paul

    Here's a chopped down version of the one I have setup.  You should be able to follow the syntax from the sample's I've left in it.  I've attached it as a txt file but the original needs to be an xml.

    Basically you need to either work on this and save elsewhere then copy and paste to the file that's in the VSAHiddenFiles folder on your Kaseya server.  Watch out though because as soon as you save the file it will send a copy out to all your customer machines.  I make sure I'm happy with it, taking care to check I've not missed any characters as if you do it won't work, then save over the copy of the original file.

    AC

  •  & ... any chance of you uploading a snippit of a valid evtLogBlkListEx.xml?  I think you can use the HTML function in the rich text editor so it doesn't get munged:

    Myself and others would be most grateful!  Smile

  • Hi Brian, I responded to the earlier post with a chopped down sample.  When I submitted the post it popped up telling me that it needed approved before it would be posted.  Hopefully Brendan is reading this.  

    However here's what I posted:

    <?xml version="1.0" encoding="ISO-8859-1" ?>
    <EventLogBlackList version="1.0">
    <EventLog Name="Application" ID="796450521">
    <Def Error="1" Source="WE_Services" EventID="0" />
    <Def Warning="1" Source="%PureMessage%" EventID="55" />
    </EventLog>
    <EventLog Name="System" ID="1380569194">
    <Def Warning="1" Source="%Disk%" EventID="51" />
    <Def Error="1" Source="%Disk%" EventID="11" />
    <Def Information="1" Source="%Print%" EventID="14" />
    </EventLog>
    <EventLog Name="Directory Service" ID="286518283">
    <Def Warning="1" Source="%ActiveDirectory_DomainService%" EventID="1566" />
    <Def Error="1" Source="%ActiveDirectory_DomainService%" EventID="1311" />
    </EventLog>
    </EventLogBlackList>



    corrected typo
    [edited by: Alistair Curran at 6:54 AM (GMT -7) on Aug 14, 2013]
  • Alistar,  I am glad you were able to benefit from what I found.  Since I last posted, I worked with one of the developers at Kaseya  with another problem I had.  I wanted to completely stop monitoring the security log on all systems, but I found I wasn't able to do so with modifying other collected event logs.  Basically, you could reset all logs collected, but not remove one log, but not change anything else.  He quickly implemented a new feature that allowed me to do this.  I was quite impressed with the quick turnaround.

    Since all the old logs  have been cleaned out, my database shrunk even further, down to 22 GB.  Now I just need to find time to run the shrink database command to free the white space in my 63 GB database file.

    Now that you don't need to collect a log to alert on event log entries, I am evaluating what else I can stop collecting to clear even more space.