In the course of the last several years we've found incidents where event logs simply were not alerting -- when we viewed the events in the db the events did not exist when compared to event log on the endpoint. Generally this was due to high volume of events in the moment, or performance issues. We have corrected most of that as much as possible but the challenge we face is making sure we know when events are being skipped BEFORE we actually need them.
Does anyone have a working solution for this -- sort of outside the box way of making sure we know when an event log on an endpoint is not being written / logged by Kaseya. This is most important for security logs for us.
We're super SQL savvy, but i'm not entirely sure how that will help here. Effectively we need to know when a count of events on the machine doesn't equal the count of events in kaseya.
One of our tools might help, or at least provide some ideas...
We have a "what don't you know" tool that can be run monthly. It runs on servers and dumps the last 30 days of event logs, filtering on warnings and errors. Ignoring dates, it gets a list of unique events that occurred.
It would be a simple change to re-scan the data for each unique event to obtain counts - it doesn't do this currently. This could easily create two CSV files - an event list with counts (and the status below - Monitored, Don't Care, or New), and a second CSV that maps the dates to each event.
Once we have the list of unique events, each are compared against a table of events that we either do monitor or don't care to monitor. What's left are events that are new and unseen. We can then decide to add these to either the Monitored or Don't Care tables, and create or update a monitor set if we choose to monitor the new event. When we onboard new clients, we run this with a parameter that dumps up to 365 days of events. This helps identify customer LOB alerts that we can then evaluate and monitor if appropriate.
The files can be collected, combined, and imported into SQL from where you can create the reports you need. Simply comparing alert counts between this data and VSA will give you a good idea of any disparity. Being on-prem and having good SQL skills will be needed here, or possibly being downright awesome with the reporting tools if on SAAS.
BTW - We're writing to CSV and not SQL because these tools run directly on each endpoint for maximum performance. Collect, concatenate the file-pairs, and import into SQL should be pretty easy.
PM me or contact me via the mspbuilder.com website if you want to discuss this further.