This dialog configures the Windows Event Log Monitor V2 service for Windows Vista, Windows 2008, Windows 7, Windows 8 and Windows 2012. For Windows 2000, 2003 and XP use the classical event log monitor.
Event Log Monitor |
Event Log Monitor V2 |
Windows 2000 |
Windows Vista |
Windows XP |
Windows 2008 |
Windows 2003 |
Windows 7 |
Windows 8 |
|
Windows 2012 |
Due to the vast changes to the Windows EventLog in Windows Vista, it was necessary to create a new edition of the EventLog Monitor. This one is specifically designed to process the Windows Vista event logs. The log entries have been split up and are now shown in so-called Channels. These Channels can be considered as categories. First we have the classic EventLog Channels. These consist of the Application-, Security- and System-EventLog etc., which were already known in Windows XP. Then there are the serviced and the direct Channels. The serviced Channels are processed by the EventLog framework for a reliable delivery of the messages, while direct channels are meant for debugging purposes. ConsLogging them may cause a high performance impact. As direct channels are typically not used in practical logging scenarios, they are not yet implemented in the event log monitor. If you have a need to process them, please let us know at support@adiscon.com.
Event Log Monitor Properties
Sleep Time
The event log monitor periodically checks for new event log entries. The "Sleep Time" parameter specifies how often this happens. This value is in miliseconds.
We suggest a value of 60,000 milliseconds for the "Sleep Time". With that setting, the event log monitor checks for new events every 60 seconds. Larger periods can be specified for occasionally connected systems or if email delivery with few emails per day is intended.
Very security-aware environments might use a shorter interval. The event log monitor service is specifically designed to limit the burden on the monitored system. As such, resource usage is typically low, even with frequently run event log checks. However, we recommend not running the event log monitor more often than once a second.
This property allows configuring a delay after generating an event. The time is the delay in milliseconds.
If run at a value of zero, the event log monitor service generates events as fast as the machine permits. We have seen scenarios where routers and receivers are not able to keep up with this rate, resulting in packet loss. In addition, the CPU of the reporting machine is run at 100% - which is not a problem because the service runs at a low priority. However, with even a 1-millisecond delay, there is no noticeable CPU activity even when large bursts of events are forwarded. At one millisecond, the service can still generate 1000 events per second.
The default setting is an overrun protection of five millisecond, which allows roughly 200 events per second. This should be sufficient for even very busy servers.
Select Message Format
With this option you can choose whether the Events will be extracted in "Raw XML Format" or in the "Predefined Event Format".
The XML format is the exact representation of the XML Stream returned by the EventLog System.
Please note that it only contains EventLog data and not a formatted message.
The "Predefined Event Format" is what the Event in the event viewer looks like.
SyslogTag Value
The SyslogTag Value determines the SyslogTag that is used when forwarding Events via syslog. This is useful, if you want to determine later, what kind of syslog message this is, perhaps because you log EventLogs and syslog into the same database.
Emulate %Param% properties from old EventLog Monitor
This option emulates the %Param% properties, which were often used in the old EventLog Monitor. The new EventLog implementation (e.g Windows 7, Windows Server 2008 Windows 8, Windows Server 2012) does not support them in the same way anymore. The Event Log Monitor V2 is still able to provide parameters in the "old style" format, what means that log analysis scripts can receive a consistent stream of data for both new style and old style Windows events.
Include optional Event Parameters as properties
If enabled, the < EventData> node from the raw XML stream (Eventlog entry) will be searched for variables. If variables with names are found, they will be set as Properties with their variable name automatically. If the variable does not have a name, it will be set to a common name like “Param1, Param2 …. ParamX”.
Convert to EventLog Monitor V1
This option maps the EventID's from the Security EventLog back to V1 (Windows 2000/2003). The internal InforUnitID is also changed to V1. This option helps postprocessing EventLog V1 and V2 events equally.
Event Channels Tab
The most important part of this dialog is the treeview of available Channels. It specifies which event logs are to be monitored. In the screenshot above, the monitor is set to all Channels that are currently available. There happen to be custom Channels, too, due to Applications creating them on their own. They will be added to the treeview automatically every time you re-open this configuration window.
Channels checked in the table are actually processed. Those unchecked are kept in the configuration, but are not processed.
Here you can adjust the syslog facility and the event log types. You are also able to overwrite all existing custom advanced channel configurations with your new ones.
The Syslog facility to map information units stemming from this log to. Most useful if the message is to forward to a Syslog daemon.
Windows event log records are numbered serially, starting at one. The service records the last record processed. This textbox allows you to override this value. Use it with caution!
If you would like a complete dump of a specific Windows event log, reset the "Last Record" to zero. If you missed some events, simply reset it to some lower value than currently set. It is possible to set "Last Record" to a higher value. This suspends event reporting until that record has been created. We strongly discourage to use this feature unless definitely needed.
Processing Mode
There are two processing modes available, first the default processing mode is “EventLog Subscription” which processes Events in realtime. This means events are send to MonitorWare Agent by the OS as they happen, there is no delay at all. The other processing mode called “Eventlog Polling” and is similar to the method used in the old EventLog Monitor. The EventLog is checked and processed periodically controlled by the sleeptime. However using the polling method, you enable the “Read EventLog From File” option.
These checkboxes allow local filtering of the event log. Filtering is based on the Windows event type. There is a checkbox corresponding to each Windows event type. Only checked event types will be processed. Unchecked ones will be ignored.
Filtering out unnecessary log types at this level enhances system performance because no information units will be generated and passed to the rule engine. Thus, Adiscon strongly recommends dropping unnecessary log types.