Could not retrieve event log information - Windows

Hello,

I am running Sitescope 11.24 and am currently trying to setup a Windows Event Log Monitor that will alert me when someone performs a logon.

When I set up the monitor and run it it fails and says "Could not retrieve event log information".

When looking at the logs of the Sitescope Server I see the below

12:18:41,265 [SERVER(1611325506/1) ] (NTEventLogMonitorWMICommander.java:175) ERROR - NTEventLog Monitor WMI error for machine \\SERVER, monitor id: 1, WMI error:  timeout

12:18:41,265 [SERVER(1611325506/1) ] (NTEventLogMonitor.java:873) ERROR - SERVER: error reading NT Event Log, exit status = 999

WMI is most certainly working as other monitors that require WMI access are working as expected and the timeout is set to 120 so am not sure where to go with this.

Any ideas ?

Parents
  • Hi there Please post screenshot of your windows event log monitor setting for us to better understand how you configured it.

    Have you tried creating any other event log monitors to see if its specific to the logon event you are looking for or just anything you search for does not work

     

    Thanks

  • Attached the screenshot as requested ... At the moment none of them will work so i assume it is something I am doing wrong but I dont know what.

    The Event ID I am focused on is 4634 (logoff's) and there are plenty to be matched to.

    Let me know what you think

  • Please see attached screenshot of one of our monitors

     

    We use EventSource in this one but should work same for ID

     

    We had to put our in regex format within /, so you might want to try it out

    Please give the monitor some time to run initially( -30 minutes depending how many of these events come in)

     

    Also in the threshold you set the match count = 4634, this is incorrect

    Match Count means the amount of times it finds the value you put in the Source and ID match,

    So if you would like an error you should set it accordingly e.g Match Count > 10

     

    Let me know if you don't come right

  • Please see attached screenshot of one of our monitors

     

    We use EventSource in this one but should work same for ID

     

    We had to put our in regex format within /, so you might want to try it out

    Please give the monitor some time to run initially( -30 minutes depending how many of these events come in)

     

    Also in the threshold you set the match count = 4634, this is incorrect

    Match Count means the amount of times it finds the value you put in the Source and ID match,

    So if you would like an error you should set it accordingly e.g Match Count > 10

     

    Let me know if you don't come right

Reply
  • Please see attached screenshot of one of our monitors

     

    We use EventSource in this one but should work same for ID

     

    We had to put our in regex format within /, so you might want to try it out

    Please give the monitor some time to run initially( -30 minutes depending how many of these events come in)

     

    Also in the threshold you set the match count = 4634, this is incorrect

    Match Count means the amount of times it finds the value you put in the Source and ID match,

    So if you would like an error you should set it accordingly e.g Match Count > 10

     

    Let me know if you don't come right

Children
No Data