Kaseya Community

Update evetnlog settings fail when in policys

  • Hi
    I seem to have an issue when i modify "Evenet log settings" in a Policy
    when I add  that I want logs om "Information" from the Security evetlog so I can create alerts from some account managment this does not apply.

    However if I Add information under Agent/Evetlog settings ( and reboot) the test server i can get the alerts to kickoff

    So i know that my evetlog monitor is ok

    Anyone else have issues with this and how would I attack this issue to solve it.
    On the latest patch and recentlt ran reaply schema

    **
    My main goal is just to get a mail when somneone creates a  user ( eventID 4720)

  • You don't need to enable the "Event log settings" to alert off Windows event logs. This has been the case since either 6.3 or 6.5.

    The "Event log settings" option is used to make Kaseya collect event logs and store them in the system. This used to be required for Kaseya to alert of event logs, but no longer is required.

    All you need is to set up the event set with the event IDs you want and make sure you select the correct log type and the "EWISFCV" settings.

  •  is correct -- Event Log Settings are not required to trigger Event Log Alerts this dependency was removed in v6.3.

    I would also be careful collecting Security event logs, these tend to be the noisiest and can quickly flood your system with tons of logs that may or may not be of value to you.

    If you are having issues with your Event Log Alert, show us your configuration via screenshot and we can possibly advise what the issue is or alternatively a support ticket can be created for this.

  • Hi

    thanks for your replys.

    So If I get you correct I dont need to be able to see the events under

    Agent

    -Agent logs

    and the Agent logs

    This is my monitor
    The 1102 is just a test(clear security log)
    I tried the other events with just a wildcard also and no luck
    i can see the events in my labbservers securilog

    Anyways This monitor i Added to a policy with the I for Information

    I can add that i notice this error when I apply a changed policy
    eRROR: InitEventLogProcess() failed to load event log definition "c:\kworking\KLogConfig\alertSet.xml" [code: -4].

    So I would like to know how to get rid of that problem without to have to delte the present alert.xml file on all servers



    code4 xml error
    [edited by: FredrikO at 10:22 AM (GMT -8) on Dec 9, 2016]
  • No, you don't need to see them in the Agent Logs. I have event log collection disabled and when I check the Agent Logs my event logs are blank. Our event log alerting still works fine though.

    Outside of the policy, if you just apply the event set to a machine does the alerting work? Make sure it is applied to the security log as well. In the screenshots below, the event sets will only alert for anything in the application log. It also has to match what I specified as far as error, warning, etc.

    As far as the error, I would open a ticket with support for that. The "failed to load event log definition" might be the problem here. 

  • hi Bauger34

    I did try your suggestion to skip the policypart and just apply to the machine.

    Still no success though

    however i get the alert if i the eventID shows up here, then i acctually sets of the alarm

  • I recommend opening a ticket with support at this point. They can jump on there with you and either figure out what went wrong or determine if there is an issue with your system.

  • Hi  thanks for the support bauger34

    I will open a ticket because its something wird here