Introducing APM’s new Windows Event Log Monitor

Orion APM 3.1 shipped last week and offers a brand new frequently-requested component monitor—the Windows Event Log Monitor. The event log monitor regularly scans the event logs on a Windows server and counts the number of events that match a rule specified by a user. The number of matching event logs is the performance statistic that APM reports. It’s a simple monitor, but it can be very powerful because it’s very flexible and the event logs contain a lot of data.

To create a Windows Event Log Monitor, you create a new template and add Windows Event Log Monitor. It can be found under the All Components folder when you add a new template.

You will need to provide credentials for the target server. But your first real choice is to select an event log to monitor. We provide a dropdown of the most common built-in logs. We also provide Custom which allows you to specify the name any event logs created by specific apps. Orion itself creates a custom log, for instance.

Once you know which log, the next thing is to know what you want to look for in the logs. The monitor will scan the contents of each log it finds looking for a match. You define what constitutes a match. You can specify one or more of the following:

· Log Sources – Source tells you which app generated the event. For instance, WMI, Outlook, and Winlogon are some of the sources I see in the event log for my laptop. If you specify these sources in the match definition, then APM will only count logs from those sources

· Event ID – Each event has an ID. You can use a search engine to find the meaning of various IDs or which IDs indicate particular events. For instance, 644 is the ID of the event log that’s generated when an account is locked out. If you listed 644 in the match definition for an event log monitor, APM would count the number of times it saw 644. You can list one or more IDs to the match definition. If you leave it blank, then all event IDs will be considered as a match

· Event Type – Each event has a type such as Error or Information. You might create a simple event log monitor that counts the number of logs of type Error and then create an alert if that monitor goes above 1.

· User – Event logs include a user field, although it isn’t always filled in. But if you’re interested in tracking a particular user account’s activities on a particular server, this field would be useful.

· Key Words – Every event log has a description field that elaborates on what happened that caused the log to be generated in the first place. The Include Events and Exclude Events fields allow you to scan for key words. Here you can specify strings (including regular expressions) that must be included or excluded to create a match. So you might want to count events that include the (unlikely) text Radiohead but exclude them if they also include Creep.

You can include one or more or all of the parameters above. A match will be found only when all of these parameters match. Thus, if you look for events from source X, with ID Y, and text Z, then APM will return the number of event logs where X, Y, and Z are all true.

One other aspect of the monitor to appreciate is the “polling period”, which may be confusing. When you apply the monitor to a server, you will set the polling period. Let’s say you set it as 5 min. APM will look at the event logs every 5 minutes. Let’s say are looking for Event ID = 644. On the first poll, you find two event logs with the ID 644. APM will count that as 2. In 5 minutes, it will poll again. Do you want it to scan those same events? Or do you want it to only scan event in the last 5 minutes? If you set the polling interval at 1, it will look only at those events from the last 5 minutes—i.e., new events. If you set it at 1.5, it will look at the last 7.5 minutes, so it will rescan part of the previous scan. If you’re looking for more of a “rolling” event count, you might want to increase this number and rescan some of the previous intervals.

In practice, we expect each user to create several windows event log monitors. Each monitor would be scanning for a different set of conditions. One monitor might be counting the number of Errors (like Errors in Application Event Log that we ship with 3.1) while another is counting the number of login failures on a sensitive server.

The Windows Event Log monitor is a flexible monitor for Windows systems, and we’d love to hear how you’re using it. If you create monitors that you find useful and interesting, please publish your templates to the thwack community.