NT Event Log Monitor

The NT Event Log Monitor watches one of the Windows NT Event Logs (System, Application, or Security) for added entries. This monitor is only available on the Windows NT version of SiteScope.

The Run Alerts setting control how alerts are triggered by this monitor. If for each event matched is chosen, then the monitor triggers alerts for every matching entry found. In this way, the monitor acts much like an event forwarder. If once, after all events have been checked is chosen, then the monitor counts up the number of matches and triggers alerts based the Error If and Warning If thresholds defined for the monitor.

The NT Event Log Monitor examines only log entries made after the time that the monitor is created. Each time the monitor runs thereafter, it examines only those entries added since the last time it ran. You can choose to filter out messages that are not important by using the fields listed under Advanced Options to specify values that must appear in the event entry for the entry to match.

When setting up SiteScope alerts for NT Event Log Monitors that are set to alert "for each event matched", it is most useful to select the NTEventLog template for the e-mail, pager, SNMP, or script alert. This alert template sends the alert with the event entry fields broken out. The type of SiteScope alert triggered depends on the type of the log event entry:

Event Log Entry Type	SiteScope Alert Type
Error	Error
Warning	Warning
Information	OK

Each time the NT Event Log Monitor runs, it returns a reading and a status message and writes them in the <SiteScope install path>/SiteScope/logs/SiteScope.log file.

Status

The status for the NT Event Log Monitor includes the number of entries examined, and the number of entries matched. If an interval is specified, the number of events in that interval is also displayed. Matched entries and interval entries can trigger alerts.

Completing the NT Event Log Monitor Form

To display the NT Event Log Monitor form, either click the Edit link for an existing NT Event Log Monitor in a monitor table, or click the Add a new Monitor to this group link on a group's detail page and click the Add NT Event Log Monitor link.

Complete the items on the NT Event Log Monitor form as follows. When the required items are complete, click the Add Monitor button.

Server

Choose the server that you want to monitor. The default is to monitor an event log on this server. Click the choose server link to monitor an event log on another NT server.

Log Name

Choose either the Application, System, or Security Event Log.

Event Type

Select the event type(s) - Error, Warning, and/or Information - that you are looking for.

Run Alert

Select the method for running alerts.

Select "for each event matched" to have the monitor trigger alerts for each and every matching entry found.
Note: When the NT Event Log Monitor is run with this alert method selected, the monitor will never be displayed as an error or warning status in the SiteScope interface, regardless of the results of the content match or even if the target event log is not found. The monitor will trigger alerts if one or more matching entries are found and the Error if or Warning if thresholds are defined accordingly in the Advanced Options section. For example, setting Error if to the default of matchCount > 0.
Select "once, after all events have been checked" to have the monitor count up the number of matches and trigger alerts one time based on the Error if and Warning if thresholds defined for the monitor in the Advanced Options section.
Note: By default, selecting this option will cause SiteScope to send one alert message if one or more matches are found, but the alert will not include any details of the matching entries. To have SiteScope include the matching entries, you must associate the monitor with an alert definition that has the property, <matchDetails> in the alert template. This special template property is used to populate the alert with the details of all the matching entries. You use this for e-mail alerts or other alert types that work with template properties. E-mail alert templates are stored in the SiteScope\templates.mail directory. See the chapter on Custom Alert Templates in the SiteScope Reference Guide for more information about modifying alert templates.

Update every

Select how often the Event Log should be checked. The default interval is to run or update the monitor once every 10 minutes. Use the drop-down list to the right of the text box to specify another update interval in increments of seconds, minutes, hours, or days. The update interval must be 15 seconds or longer.

Title

Enter a title text for this monitor. This text is displayed in the group detail page, in report titles, and other places in the SiteScope interface. If you do not enter a title text, SiteScope will create a title based on the host, server, or URL being monitored.

Advanced Options

The Advanced Options section presents a number of ways to customize monitor behavior and display. Use this section to customize error and warning thresholds, disable the monitor, set monitor-to-monitor dependencies, customize display options, and enter other monitor specific settings required for special infrastructure environments. The options for this monitor type are described below. Complete the entries as needed and click the Add or Update button to save the settings.

Disable: Check this box to temporarily disable this monitor and any associated alerts. To enable the monitor again, clear the box.
Source and ID Match: Enter the match string identifying the source of the event and the event ID in the form: Event Source:Event ID. For example, enter Print:20 to match event source named Print and event ID of 20. To match against all events from a specific source, enter just the event source name (for example: W3SVC). To match an exact event ID from an event source, specify both (for example: Service Control Mar:7000). You can also use a regular expression for more complex matches.
Source and ID NOT Match: Enter the match string identifying the source of the event NOT TO MATCH in the form: Event Source:Event ID. For example, enter Print:20 will ignore all events of Print source and event ID 20. To ignore all events from for a particular source specify just the source name: W3SVC). To ignore an exact event ID from an event source, specify both (for example: Service Control Mar:7000). You can also use a regular expression for more complex not matches. For example, to ignore all Perflib sources from 200 to 299 the following would be used: /Perflib:2\d\d/. To ignore all events from the Perflib source the following would be used: Perflib:*.
Description Match: Enter the text string to match against the description text for the event entry. The description text is the same as the description that is displayed when viewing the detail of an event log entry in the NT Event Viewer. Regular expressions may also be used in this box.
Description Not Match: Negative match against the description text for the event entry - that is, the NT Event Log Monitor will trigger an alert only if the text entered in this box does not appear in the event entry's description text. The description text can be viewed in the detail view of the event log entry via the NT Event Viewer. Regular expressions may also be used in this box.
Event Category: Match the category number of the event entry.
Event Machine: Match against the machine that added the entry to the log file.
Interval: Enter an time period, in minutes, for which matching event log entries will be totaled. This is useful when the case you are interested in is a quantity of events happening in a given time period. For example, if you wanted to detect a succession of service failures, 3 in the last 5 minutes, you would specify 5 minutes for the interval, and then change the Error If threshold to matches in interval >= 3.
Update every (on error): Enter the amount of time that SiteScope should wait between checks when the status of the monitor is anything but ok. If you do not enter a value here, the Update value from above is used. You use this setting to have SiteScope check more or less frequently than usual when the monitored item is not reporting an ok status.
Schedule: By default, SiteScope monitors are enabled every day of the week. You may, however, schedule your monitors to run only on certain days or on a fixed schedule. Click the Edit schedule link to create or edit a monitor schedule. For more information about working with monitor schedules, see the section on Schedule Preferences for Monitoring.
Monitor Description: Enter additional information about this monitor. The Monitor Description can include HTML tags such as the <BR> <HR>, and <B> tags to control display format and style. The description will appear on the Monitor Detail page.
Report Description: Enter an optional description for this monitor that will make it easier to understand what the monitor does. For example, network traffic or main server response time. This description will be displayed on with each bar chart and graph in Management Reports and appended to the tool-tip displayed when you pass the mouse cursor over the status icon for this monitor on the monitor detail page.
Depends On: To make the running of this monitor dependent on the status of another monitor or monitor group, use the drop-down list to select the monitor on which this monitor is dependent. Select None to remove any dependency.
Depends Condition: If you choose to make the running of this monitor dependent on the status of another monitor, select the status condition that the other monitor or monitor group should have in order for the current monitor to run normally. The current monitor will be run normally as long as the monitor on which it depends reports the condition selected in this option.
List Order: By default, new monitors are listed last on the Monitor Detail page. You may use this drop-down list to choose a different placement for this monitor.
Error if: By default, the monitor is in error if there are any matched events. If you are using an interval, you can also use matches in interval. If the Run Alerts is set to for each event matched, then each entry can trigger an alert, and the Error If setting is ignored.
Warning if: By default, the monitor never in warning. You can use match count to put the monitor warning for a given number of matches. If you are using an interval, you can also use matches in interval. If the Run Alerts is set to for each event matched, then each entry can trigger an alert, and the Warning If setting is ignored.
Good if: Enter the value that should indicate a good reading for this monitor. By default, SiteScope assumes that the monitor is in a good status if the error and warning conditions are not met.