Windows EventLog Values

Hello,

 

I am trying to use the Microsoft EventLog monitor to look for specific events across all Windows servers.  I want to be able to use 1 monitor per server but check for multiple eventIDs and process them differently.

 

So far, I have successfully set up the monitor look for 3 events - 7001 for logons, 6009 for server restarts, and 55 for NFTS file corruption.  The logons are just for testing since I can create a new entry every time i log into a server for now.  I don't want each of these to always be an error/warning/etc..  Basically, I need to know how to populate the "value" counters so I can create specific thresholds.

 

The monitor reference guide says to use the Description Match field to look at the event's description.  So, I added "/Logon/" in there to see if it would grab a logon event.  The monitor works and catches occurrences of the 7001 logon event, but the value fields do not show any data.

 

How can I get the value(0-4) fields to populate with data from the captured events?

 

Thank you!

Lance

 

Tags:

Parents
  • Hi Lance,

     

    For value tags to populate you need to use parenthesis in your match expresion /(Logon)/ will fill value=Logon

  • Kenneth,

     

    Thank you!  I am still learning regex..  that did it!

     

    One more question then - for multiple values (for value 2- 4), would this work?

     

    /(Logon|Value2|Value3|Value4)/ 

     

    Basically, if any of them catch i would like to set the status to warning or error, depending on the match.  Currently, if both match, only the first value is being captured (maybe I can't work around that).  Also, if i understand this monitor correctly, if using the description match, you can define up to 4 values to match against, is that correct, or is there a way to add more?

     

    Thank you!

     

Reply
  • Kenneth,

     

    Thank you!  I am still learning regex..  that did it!

     

    One more question then - for multiple values (for value 2- 4), would this work?

     

    /(Logon|Value2|Value3|Value4)/ 

     

    Basically, if any of them catch i would like to set the status to warning or error, depending on the match.  Currently, if both match, only the first value is being captured (maybe I can't work around that).  Also, if i understand this monitor correctly, if using the description match, you can define up to 4 values to match against, is that correct, or is there a way to add more?

     

    Thank you!

     

Children