The issue may actually be all event log monitoring as I just realized in investigating this one, another alert did not fire off as well
The alert is pretty simple, it watches the Security Log for event 4740 (account locked out) and alerts our cell phones if it occurs. During troubleshooting, I just realized that 4720 (Account creation) also is not alerting. And these are both clearly shown in the event logs on the server....we use this alert on all our managed machines and both of them are working elsewhere.
Anyone have any idea why event log monitoring would just stop and what can be done to resolve it? The VSA server is a clean 9.4 install.....after 10 years I archived our original server and started fresh. One of the monitored servers was rebooted this morning, the other rebooted a week ago.
I opened a ticket with support but, based on prior experience, I don;t expect a quick answer from them.
L! and L2 Support looked at it and simply confirmed that the monitors are properly configured. They are escalating it but we all know how long that can take so, if anyone has experienced something like this before, I would really appreciate your input.
may sound simple - but have you made sure that that monitoring is not suspended on the agents affected? I had a red face a while ago with a similar issue :-)
Thanks for the reply Jo....never hurts to remind me of the simpler things. I wish it was something better than the official Kaseya response (see below). Apparently if we want to log Failure events and alert on Success events, we need to log the Successes as well....and that would be a huge amount of data throughout our managed clients. Apparently the line they fed us several versions ago about now being able to alert on data we don't record in the database was a lie.
If you want to be alerted on Event ID 4740 which is categorized as a Success Audit, and you plan to gather event logs from this same agent. You will need to include the category of Success Audit to be gathered from this agent as well in order to be successfully alerted when this event ID occurs.
I am a bit confused by your initial post where you mentioned 4740 as a security log event versus your most recent response as a success audit.
I use event logging frequently and for specific events we do have to specify the type of log and category; I like to get very specific (or as specific as possible) in my wildcards.
Here is one I am working on with some automation behind it.
I have run into the same issue - it's *all or nothing* for each agent. If you instruct the VSA to collect *any* event logs for an agent it shifts the whole process of event monitoring for that agent to the VSA hence it has to be set to collect *all* logs types and events you may wish to alert on. If you instruct the VSA to not collect any event logs the monitoring process is transferred to the endpoint and you can then alert on any events you like. It's annoying but kind of makes sense.
#Combo - the real frustrating part is that this monitor worked for years and Kaseya never published anything explaining that this functionality was changed. So I have to assume that this is a programming error that essentially killed critical alerts for all our clients....anyway, the alerts are more important than the logging so I was forced to disable all event log collection
It's called out in their documentation, but agree it's frustrating. We also stopped event collection in favour of alerts.
I just noticed the same issue - Event 4740 no longer alerting and I am not collecting log files. Any update on your ticket karoded ?
I had to change my configuration to collect ALL log entries for System and Application... as we review summary reports on errors regularly and collect NO log entries for Security as all the success entries would overwhelm the system.
This appears to be working but who knows for how long. As #Combo pointed out, Kaseya updated their documentation at whatever point they changed how this operates but I don't go back and review that on any schedule so I have no idea when between 6.3 and 9.4 that happened.
I am curious how collecting ALL entries for System and Application fixed your issue with alerting on "Security Log for event 4740": Is that fixed? I have entered a ticket but I do not anticipate getting to a resolution for a few days as I work through the support levels.
Please see the link #combo provided - help.kaseya.com/.../9040000 For alerting to work on an event log, you need to either collect all events from that log or none. 4740 alerting is now working again because I am no longer collecting any events from the security log......Why this is an issue? I would have no idea.
Actually re-reading it sounds like I would need to collect all or none for all logs but from our testing that does not appear to be the case.
I first noticed this issue about a year ago and when I logged a ticket Kaseya support referred me to a knowledge-base article that discussed the 'all or nothing' requirement. I went through my notes and found the link but (very interestingly) they seem to have removed the article and no amount of searching will surface it. The URL itself mentions the problem though - helpdesk.kaseya.com/.../229034788-Event-log-alarms-not-working
Yeah. Oddly enough I seem to remember being told just exactly the opposite of this behavior started somewhere around 9.2.. ANd in fact the one article that I can find seems to indicate that this *should not* be the case.
The specific wording: "This only allows you to see Event IDs in the Agent Logs > Event Logs. Event log alerts are still generated even if event logs are not collected by the VSA"