Kaseya Community

event log alerts

  • I am trying to setup alert checking for Shadow Protect (event source ShadowProtectSvc) that will:

    (1) run a script and send an email when error event id 1121 (backup failed) is found

    (2) send an email for all error event ids, except 1121

    The problem is that if I create a event log set for (2) and ignore 1121, then (1) stops working, obviously because ignore takes precedence over everything else.

    Does anyone know a work around for this?

  • Simple answer is don't ignore it, here is how I have mine setup.

    There are only 2 Shadow Protect Application Event ID's that are used for backup jobs;

    • 1121 for Errors including Failed backup jobs
    • 1120 for informational events and Successful backup jobs

    Note that I split my eventlog monitor sets up so that I can make them trigger unique fake executable files that run for around 1min and gets monitored by a matching Process Monitoring sets. This allows me to split my alerts from the Event Alarm category and have it under a custom category called Backups.

    First create your catch all monitor set using the "ShadowProtectSvc" event Source and configure this to use "Error, Information and Warning" event Types. With the catch all you only want to generate Alerts so you don't get spammed by duplicate emails. It is mainly used to discover new event ID's not published by the product vender and is less important.

    Next you may or may not want a Successful Backup Job monitor set, I create it so that I can report on successful backup jobs but don't make it generate any alarms. To do this us the "ShadowProtectSvc" event Source, 1120 event ID, the "Information" event Type and a Description of "*completed*".

    Now for the Error events. There are two Descriptions that I have noted that are commonly generated however I make a catch all "Failed Backup Job" Monitor set using the "ShadowProtectSvc" event Source, 1121 event ID and configure this to use "Error" event Type.

    The first of the known Error events are the "Cannot find the file specified" which is generated if you are using incremental backup jobs and the previous backup file could not be found. The event description for this one is "*Fatal I/O error * The system cannot find the file specified*".
    The Second known Error event is for Disk space whit the event description of " *There is not enough space on the disk* "

    All in all these monitor sets have worked very well and I'm considering not to waste my time and the company's money on the Shadow Protect module at this point in time. I still want to evaluate this module and make a pro's and con list to make a non-biased decision when I have some time.

  • Thanks for your detailed response Hard Knox, much appreciated.

    I do like your process monitor idea for getting it to display in a useful column set - I hate the way K dumps everything in 'Events' (K should allow you define column sets for events just like they do monitors).  It would be a lot of work to do this for all event log types, but I might set it up just for backups and so other critical ones!

    I also have a third monitor set which, is the same as the successful, but called 'missing successful', and I set this to alert if it doesn't see event ID 1120 in 3 days.  Just in case a tech suspends a job and forgets to un-suspend it, etc.

  • The main problem I have with Kaseya's shadow protect module is that you to delete all your backup jobs and start again :(

    And if someone creates a job from the SP console rather than Kaseya you will not have never get any alerts on that job!!!

  • I forgot to mention the missing backup jobs monitor set, do it for both 1120 and 1121 because in theory you should get either a successful or failed alert. I found this method worked well when Shadow Protect stopped working (service crash etc...).

    If you don't do backups over the weekends then configure it to alert if the event does not occur in 2/3/4/x days depending on how often you expect to get the event within a period of a week.

    Good to know that about the Shadow protect module, that would definitely go into my cons part of the list Smile

    [edited by: HardKnoX at 7:15 PM (GMT -7) on May 27, 2013] blah
  • Hi HardKnox,

    Can you give me some more details about you do "his allows me to split my alerts from the Event Alarm category and have it under a custom category called Backups."

    not sure I'm following, see how technically you are doing it. I would like to filter all Symantec Backup Exec events and put them in a separate column "Backups"


  • ProcessMon.zip


    Hi HardKnox,

    Can you give me some more details about you do "his allows me to split my alerts from the Event Alarm category and have it under a custom category called Backups."

    not sure I'm following, see how technically you are doing it. I would like to filter all Symantec Backup Exec events and put them in a separate column "Backups"


    You split them up by making two monitor sets, one for each Eventlog event you want to do this with and a matching Process Monitor set that looks for a unique fake process.

    When the Event occurs it executes an Agent Procedure instead of an Alert and the Agent Procedure runs the fake process for 30 seconds allowing the Matching Process Monitor set to detect the fake process and generate an alert. The Process Monitor Set will generate the alarm that you categorize as "Backup".

    I have attached the fake process script to this post all you need is to download AutoIT3 and use the Compiler to compile the script into an Exe file that you store on your Kaseya server in the Managed Files.

    You then create a script that will download this Exe file if it does not exist in the target path and give it a unique name that will only be used for the event you want to monitor (E.G. : ShadProBkp_Failed.exe, ShadProBkp_Missing.exe).

    To trigger it use the ExecuteFile command and make it continue immediately because if you use the execute and wait it will interfere with the Process Monitor.

    Hope that makes sense.

  • I'll give it a try that way, however this raises another question. In case wa have a successull backup event can we trigger it to stay green and only being red in failures or cancellations ?

  • That reminds me this method does not work with the new "Enable auto close of alarms and tickets" feature as it will automatically close these fake process alarms since they only run for 30sec.

    As for creating alerts for successful backups, personally I don't see a use for that and as far as I can tell you can use one monitor object to close another monitor objects alarms as they create separate alarm instances.

  • so I can't shift the "backup event messages" from the General "Events" Column to a more specific one ?

  • There is currently no option to assign an Event Monitor set other or new Group Alarm Columns, but you can do it with Process Monitoring which is why some people use the above mentioned method.

    I'm not sure if they will ever really improve any of the core monitoring modules since they now have KNM and the that other new cloud based monitor system.

    KNM is scheduled to be integrated with the Kaseya VSA some time around January next year.

  • Hi,

    I set everything up for a test over the weekend trapping 34113 but nothing in the specified column ?

    What did I do wrong ? What are the exact steps ? I created the eventlog + run script option.

    created the Monitor set to chec PRocMon and assigned this through Policymanagment to the corresponding servers !!

  • Step 1 - Create Eventlog Monitor Set

    Step 2 - Create Process Monitor Set that monitors if the renamed fake process is running. Remember to set the Alarm Group Category.

    Step 3 - Create a Agent Procedure that will download, rename and execute the fake process.

    Step 4 - Assign the eventlog monitor set to the machine and select the fake process agent procedure as the alarm option.

    Step 5 - Assign the process monitor set to the machine and select the Alarm option

    Repeat the process as needed.

  • I checked again this morning, but despites the id 34113 in the eventlog, I can't trace the process in the agent procedure log as if it does not got fired off.

    Do youhave it working on 6.3 ?


  • how can I check that the kickoff of that fake process is correctly done when the event occurs becouse I can't trace it in the logs, so have my doubts.