I have a few servers that is running Windows server backup. Now I want the kaseya to monitor its event logs to notify us on the backup processes. I did run the update list by scan in the monitoring tab. It came back showing me only Microsoft-Windows-Backup. Now if you browse to that there is Operational that you have to click on to be able to see the events. Now It doesn't import those events because of the Operational. Now according to me it should have created the list like Microsoft-Windows-Backup/Operational. How can I modify this. I have re-run the update list by scan but it doesn't add it.
Please your input would be greatly appreciated
There have been other reports on the forum on this as well.
I have been able to reproduce this and am working with development to see why this would occur.
Apparently, unlike other /Operational event log properties, when verifying properties for this particular Backup type, you see:
Instead of Microsoft-Windows-Backup/Operational. This leads me to believe the same Events for Microsoft-Windows-Backup would apply. We are extracting what is purely derived from these properties.
I went to check there and saw it for myself. The only thing is if i go to where the log is saved and open it. It opens on the eventlog under "Saved" and then it points right. The only thing is, if you do an update list scan again it doesn't bring in the "Saved" one. If Kaseya could import the saved one then it might probably work. Guys thanks for your input.
Don't know how fix this one.
A workaround that you could look at is to subscribe to the Microsoft-Windows-Backup/Operational log file in the Application Log. Check out the following link on how to setup the subscription, www.sans.org/.../evtx-windows-event-logging_32949, then monitor for the same Event IDs on the Application Log.
I have come across the solution in working with Kaseya support. For some reason, Kaseya does not currently import the Microsoft-Windows-Backup log correctly (that is, it doesn't pull up the Operational sub-folder). In order to monitor the Windows backup, you need to:
1) Import the event log types in Kaseya by going to the Monitor -> Update Lists by Scan module.
2) After the update lists by scan has completed, go to the Agent -> Event Log Settings and include Microsoft-Windows-Backup in the event log types that you want to have Kaseya look for.
3) Go to the Monitor -> Event Log Alerts module and create a new event set with the source filter as "Microsoft-Windows-Backup" and whichever event ID that you want to monitor (we use 14 to monitor for a lack of a successful backup), and then save your event set.
4) Still in Monitor -> Event Log Alerts set up your monitoring on the machine you want to monitor and be sure to select the correct event severity level (info, warning, error, etc.) and Microsoft-Windows-Backup as the event log type at the top. Apply the monitoring with the settings you want (e.g. for a lack of an event for 36 hours and ignore additional alarms for 24 hours).
To summarize, you have to make sure that the event log type is Microsoft-Windows-Backup and that the event source is also Microsoft-Windows-Backup.
Note: I will be copying this post to the four other topics that I've seen on this forum that don't have the solution posted already, in order that others will come to the solution sooner than they would otherwise.
Thanks for posting the solution, Mark.
I've followed Mark's steps outlined above, and purposely gotten WSB to fail on one machine to generate the logs. I can see the events in KLC for that server, so I know I'm monitoring the correct events.. but I don't ever see an alert, alarm, or email generated. Any thoughts on what could cause this (I do have the proper Alert and Email options selected under Event Log Alerts|Set Alert Actions.)
PS> here's the event showing up in KLC - agent logs - event log - Microsoft-Windows-Backup for the machine I'm testing on. I made sure that the 19 was explictly added to the event set. . .
0 12:00:09 30-Mar-12 Microsoft-Windows-Backup None 19 administrator
The backup operation attempted at '?2012?-?03?-?30T17:00:09.691816000Z' has failed to start, error code '2155348081'. Please review the event details for a solution, and then rerun the backup operation once the issue is resolved.
If anyone else runs into this. . the issue turned out to be the rearm time. I had it set for 24 hours - but it never actually rearmed. Set it to 1 minute, and now it is successfully logging the alert and sending email!