Updated 07/07/11: Windows EventLog - multiple search criteria

0 Likes
over 12 years ago
Update 07/07/ 11: Fix bug in around identifying missing entries

This KS allows the Windows Event Log to be scanned for multiple search criteria within a single KS. If you need to search for a number of different types of Events, then you can define all of the criteria within a single KS rather than implementing multiple instances of General_EventLog. The KS raises a separate event for each unique combination EventID, Log, Source, Type,  or, alternatively a user defined message. In addition, there are a number of parameters to change the KS's behaviour, for example, don't perform the search if a related Windows service is not running, only alert when x events are found within y hours, or exclude specific event entries from monitoring. One can also monitor for the absence of an event.

'########################################################
' DESIGN SPECIFICATION

' Scan the Event Log for multiple sets of criteria
' Raise a separate event for each unique combination of EventID, Log, Source, Type - or user defined message

' Store each individual set in an XML string. The following fields are permitted:
'  log    The Log to scan.
'     NOTE: this field is MANDATORY, the rest are optional - but need Event ID or Source

' source   The Event source(s)
' type    The Event type - can use the term 'Any' if you wish
'  id    The Event ID(s)
' category  The Event Category(ies)
' user   The Event User(s)
' computer  The Event Computer(s)
'  The above fields can be used in the same way as in General_EventLog

' Additional fields
' text   The Event description. NOTE: supports Regular Expressions
' shortmsg  Short event Message. Overrides the default value of EventID:<>  Log:<>  Source:<>  Type:<>
'     Can also use value '$longmsg' to set it to the Event description
' object   The Console object to blink. If ends with a colon, the MachineName will be appended. If not set, uses NT_MachineFolder
'     eg, object='ACTIVEDS_ADSERVER = AD Server:', object='ISA_SERVER = ISA Server:', object='SQLT_SERVER = SQL Server:'
' severity  Override the default severity
' doevent   Raise event or not, ie y or n. If not defined then default = y
' sendall   Create separate event for each individual event log entry.
'     Override event collapsing by appending time to short message
' dodata   Collect data or not, ie y or n
' count   the number of times the event must occur before eventing. = 1 if not defined
' hours   the number of hours to scan the event log for. 0/undefined = since last iteration, -1 = all
'     NOTE: the hours value must be greater than the run schedule of the script, unless run once
' service   The name of a Windows Service on which the monitoring of the event relies.
'     If defined, the event will be monitored only if the specified service is running
' missing   Raise an Event if the search criteria are not found, i.e. y or n. If not defined then default = n. Note that this option does not collect data.

' Examples
' <event id='6005' source='EventLog' log='System' type='Any' shortmsg='The server was rebooted' doevent='N' dodata='Y'/>
' <event id='6005' source='EventLog' log='System' type='Any' shortmsg='The server was NOT rebooted in the last 24 hours' missing='Y' hours='24'/>
' <event id='6005' source='EventLog' log='System' type='Any' count='5' hours='1' shortmsg='The server was rebooted 5 times in the last hour'/>

' Parameters
'  SUPPRESS_DUPLICATES
'     If multiple events, only pass one back to the MS.
'     Duplicate detection logic based on ShortMessage
' EXCLUDE_LIST Comma separated list of Source:EventID:Log:Type
'     Suppresses Alert for a defined entry
' DO_DELETE  If too old, delete the INI file, which stores the last reached Record Numbers
'     Prevents lots of old alerts if an agent is stopped
'     Also resets the script if message flood and the agent can't keep up
' MAX_INI_AGE  Max Age in hours of the INI file - if DO_DELETE = 'y'
' INI_PATH  Path to the INI file. Can be a full path or a path relative to installation directory
'     The folder will be created if it does not exist - but only if the parent folder already exists

' NOTES
'  none of XML information is case sensitive
' If more than 250 XML entries required, you will need to extend the BuildXML function appropriately
' Can only have one event source per line

' IMPORTANT
'########################################################
' If running more than one instance of the script on an agent, you MUST change the name of the INI file
' to prevent the scripts writing to a single INI file. This will lead to missed events.

' Don't pass just a Log and a Type, particularly if it's not one of the 'standard' logs,
' ie Application/System/Security. If the Log doesn't exist, the EventLog object seems to scan the
'  Application log. However seems to work OK if another parameter is used, such as ID or Source.
' ########################################################

' Execution Logic
'   Connect to NetIQ, FileSystem & Regular Expression objects etc
'  Quit if unable to instantiate objects or any other errors
' Get NetIQ install path, use this to determine Trace & INI Folders
' Create the INI folder if it doesn't exist
' If appropriate, delete the INI file if it's too old
' If the INI file exists, read the last record numbers from the INI file into a Dictionary Object

' Loop through each line of the Event Log Parameters
'  Separate the XML into its component parts
'  Pass the information to the Event Log function
'  Skip the entry if Event Log Name not provided
'  Count the number of loops of the Event log call. Just in case, exit if exceeds 200 (ie 1000 events)
'  Store the Record Number returned by EventLog call, for writing to INI file later
'  Strip the header from the Result string using a Replace
'  Split the remaining string and rebuild into nice looking message
'  If 'text' parameter defined, then pass it through regular expression pattern match
'  Determine whether to raise an Action or Not -
'   This depends on 'SendMessage', Suppress_Duplicates, SendAll and EXCLUDE_LIST parameters
'   If Suppress Duplicates, then add each new Event to a dictionary object
'    If over count threshold then alert
'  If required log a data point
' Once finished, write the Record number reached for each log into an INI file for use next Time

 

NetIQ does not test or validate any software, code or other materials provided in, on or through NetIQ Cool Solutions (collectively, "Materials"), so please use caution when downloading or accessing any Materials from Cool Solutions and ensure that you have reasonable and current security, spyware and anti-virus measures in place on your computer and/or network prior to downloading. Additionally, do not use any Materials downloaded from Cool Solutions in any production environment without first testing the Materials to ensure they are compatible with your version of NetIQ software or any other hardware or software present in your network or environment. Cool Solutions is not a substitute for authorized NetIQ support and should not be used as such. NETIQ COOL SOLUTIONS AND ANY MATERIALS ARE PROVIDED ON AN AS-IS, AS-AVAILABLE BASIS WITHOUT ANY WARRANTY OF ANY KIND. By downloading this file, you are agreeing to these terms of use. To report a problem please contact: coolguys-netiq@netiq.com. Your use of Cool Solutions is governed by the Cool Solutions Terms and Conditions. https://www.netiq.com/communities/coolsolutions/terms-and-conditions/

Labels:

How To-Best Practice
Comment List
Anonymous
Related Discussions
Recommended