New Monitoring Event Set

  • Im trying to create a new event set but the set never alerts on anything.

    The best clue I have so far is that the translation of wildcards in the settings somehow gets mixed up in the alertSet.xml.

    For example I add a new event set that looks like this:

    Alot of wildcards and an event ID.

    But then when I look in the alertSet.xml it looks like this:

    <EventSetDef DefID="398330" Ignore="0" Source="%" Category="%" EventID="109" UserName="%" 

    So it translates the * into an % why is that? should it be like that? What can be wrong?

  • Without getting into why this isn't a good monitor object, the XML content appears correct. "%" is a common wildcard for SQL and some other apps.

    Try making the monitor set definition more specific, particularly using a source filter. We rarely use wildcards in any monitor set.

  • I see. Thanks for your reply.

    Now I know that is not where the problem lies.

    I have tried specifying the source also.

  • There's another possible issue. If you collect event logs, you MUST collect anything you expect to monitor. If you don't collect event logs, you can monitor anything. Seems odd, but when you collect, that's what gets checked. If you don't collect, the event logs are checked directly. We never collect event logs A.) because the data is always in the event logs and B.) we can log anything. For clients that require advanced logging, we export the logs and maintain separately.

    Also - for testing, use the EventCreate command to manually create an event log entry.


  • Also check your eventsets for ignored events.

    An "ignore set"  always takes precedence over a "create event set".

  • And make sure you have it set to look in the correct event log AND the correct severity (information, error, critical etc)

  • , can you post a screenshot of this being applied to the machine (Monitor, Agent Monitoring, Event Log Alerts)?   Also, please post a screenshot of the Agent-> Event Log Settings screen for THIS machine (you can use the machine filter to not show all your computers, I am only interested in this one.

  • Event logs show * as a default when you leave it blank.  This should be OK.    Source is also OK to be a wildcard.