Eventlog Monitoring

Forum: Operations Manager4
Viewing 5 posts - 1 through 5 (of 5 total)
  • #230078
    Profile photo of arbu2002
    arbu2002
    Participant

    Hello,

    I would like to monitor an Eventlog entry, but under Tab “General” in Eventlog there is only one entry(testuser@test.com). Under details pane/EventData there are the relevant data:

    EventData

    testuser@test.com
    PasswordSyncTask::PutUser
    GDSTATUS_OK
    0x80070057

    So, I need a monitor which filters of GDSTATUS_OK. I have tried to build a rule with the settings in the attached picture, but it doesn’t work. I also tried Parameter = 3, no success. Has anyone an idea?

    Thanks,

    Arne

    Attachments:
    You must be logged in to view attached files.
    #230092

    Hi,
    the first thing I noticed is that your Operator is “Contains”. If the XML details are as you show them it would be better to search with “Equals”.
    Another thing is to ensure your event source is really the one you’ve entered. You will understand what I mean when you take a look here:

    Windows Event Log Monitoring: How To Get The Proper Event Source

    Hope that helps yu out.

    Regards,
    STU

    #230103
    Profile photo of arbu2002
    arbu2002
    Participant

    Thanks for your hint, but it doesn’t work. I have two pictures attached. The strange thing of this event is, under general there is only one entry, but under Details there are a lot more informations. If I build a rule with Source and EventID it’s working, but if I add additional EventDescription Equals GDSTATUS_OK – nothing happens.

    Attachments:
    You must be logged in to view attached files.
    #230170
    Profile photo of Ron
    Ron
    Participant

    I don’t know exactly if it makes a difference but I found a posting that shows simply “Parameter 3” instead of the xml path. I also looked as some really old MPs I wrote to monitor the sensitive security groups (domain admins, etc.) and the xml for that looks similar and this ran in production for a good while until I moved to ACS for this type of monitoring.

    This is also consistent with Kevin Holman’s blog posting (probably where I got it originally)

    https://blogs.technet.microsoft.com/kevinholman/2008/04/22/using-event-description-as-criteria-for-a-rule/

    <Expression>
    <RegExExpression>
    <ValueExpression>
    <XPathQuery Type=”String”>Params/Param[3]</XPathQuery>
    </ValueExpression>
    <Operator>MatchesRegularExpression</Operator>
    <Pattern>^(Administrators|(Domain|Enterprise|Schema)[ ]Admins)$</Pattern>
    </RegExExpression>
    </Expression>

    #230365
    Profile photo of Scott Moss
    Scott Moss
    Participant

    Use parameter 3 like Ron suggested from the drop down list, when creating the filter. Also use equals as the operator, and give that a try.

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.