Centralized logging in a hybrid environment (Windows/Linux) – Step 2

Step 2 – Setting up the Windows Clients

Setting up the Windows Clients is rather easy. To do this, we only need to have EventReporter installed. EventReporter will be configured to pull the Windows Event Logs and forward them to our central syslog server via TCP syslog. Our example system will be Windows XP.

When you open the Configuration Client, you will see the configuration tree on the left. Most important are the part “Configured Services” and “Rulesets”. Right now, both have no content. But we will change that now.

Step 2.1

As a first step, we will set up the ruleset again.

centralized_monitoring_2001

Right-click on RuleSets in the left hand list. A context menu will appear. Click on Add RuleSet

centralized_monitoring_2002

The RuleSet Wizard will appear now. You can give your ruleset a name of course. We will use TCP Forwarding for this example. After that, click on “Next”.

centralized_monitoring_2003

On the second page of the wizard we can specify what actions we want. Since we only want the log messages to be forwarded via syslog, check the box next to “Forward Syslog”. After that, click “Finish” to create the ruleset and action.

Step 2.2

centralized_monitoring_2004

When you expand the treeview now, you will find a rule named “Forward Syslog” with an attached action of the same name.

centralized_monitoring_2005

Now click on the action “Forward Syslog. You can see the default values now.

centralized_monitoring_2006

We need to change some of those settings now. First of all we need to enter the IP or hostname of our central server into the field “Syslog Server”. After that, change the port to 10514, since our central server will listen to syslog on this port. And we need to change the protocol type. Change is to TCP (persistent connection). That is all for now. Click on the Save button on the top so we can go on configuring the Service itself.

Step 2.3

We need to configure our service now. Right-click on “Configured Services” in the configuration tree on the left to pop up a context menu.

centralized_monitoring_2007

When you go to “Add Service” you will see the list of available Services. The list is a lot smaller than in MonitorWare Agent. We need the regular Event Log Monitor in this case.

Note: If you are using Windows Vista, 7 or Server 2008 you might consider using the Event Log Monitor V2, since it is optimized for the new EventLog that has been introduced with Windows Vista.

centralized_monitoring_2008

When you have clicked on Event Log Monitor in the list, a wizard will open. Since we will not do any configuration now, just click on “Finish”.

centralized_monitoring_2009

When clicking on Event Log Monitor in the configuration tree you will see the default options. We can leave these settings as they are. Probably you might want to change the preferred language or the sleep time. As you can see at the bottom, the service is already assigned to our ruleset we created earlier. Newly created services will automatically be assigned to the first ruleset in the list.

Step 2 is finished

Basically, that is it. Save the configuration and then start the service with the button that looks like the “Play” symbol. EventReporter will then start to pull Events from the Windows Event Log and forward them via TCP syslog to your central server.

<< Go back to the main page

Centralized logging in a hybrid environment (Windows/Linux)

Centralized logging in a hybrid environment (Windows/Linux)

Created 2011-03-11 by Florian Riedl

This article will describe how to setup centralized logging in a hybrid environment. Basically, we will have various major steps, that show different configuration of several clients, which forward their log data to a central loghost. There, everything will be stored into a database and processed further for alerting.

To describe the situation basically, we want all machines on the network send their log data to a central syslog server (if possible). For the central log server we take a windows machine running MonitorWare Agent (www.mwagent.com). Here we can receive syslog, monitor local log files and the Windows EventLog. Data shall be stored into a database and several email alerts shall be configured. The other steps describe the configuration of simple Windows workstations and servers, as well as Linux servers.

For TCP transmission we will use port 514 (default) for UDP and port 10514 for TCP. We want to use TCP mainly, because it ensures the transmission of the syslog messages. This is due to UDP being connectionless and thus it can occur (and will) that messages get lost.

The Client machines in this example consist of several different types of machines. We have regular Windows Workstations. Here we will use EventReporter (www.eventreporter.com). In addition to our central server, we have some other Windows Servers which will get MonitorWare Agent as well and some Linux machines which have rsyslog (www.rsyslog.com) installed. These machines will send their log messages via TCP syslog to the central server.

Additionally to these clients, we will mention some other devices and appliances (just roughly), like firewalls, switches and routers.

Step 1:

This is the first and biggest step. We will configure the central server first. The reason is simple. If this is already running, we can setup the clients and it will directly start logging everything. We assume, this is a Windows Server where MonitorWare Agent is installed. The central log server shall provide the following functionality:

  • syslog receiver with TCP (for devices that can send TCP syslog)
  • syslog receiver with UDP (for devices that can only send UDP syslog)
  • monitor the local Windows EventLog
  • monitor local textfile-logs
  • store all log messages into a database
  • send email alerts to an admin on error or critical log messages

Continue reading on Step 1

Step 2:

In step 2 we will set up the regular Windows clients. These are usually the workstations the people work on. We will use EventReporter here. It can pull all log messages from the Windows EventLog and forward them via TCP syslog. Thus the following functionality is mandatory:

  • monitor the local Windows EventLog
  • forward all log data via TCP syslog

Continue reading on Step 2

Step 3:

Now we will configure the other Windows servers. Again, we will use MonitorWare Agent because it has the most functionality. We need the following functions to be setup here:

  • monitor the local Windows EventLog
  • monitor local textfile-logs
  • forward all log data via TCP syslog

Continue reading on Step 3

Step 4:

Now we get to the Linux servers. Here we need to use a completely different product – rsyslog. For a first-time user, this might look a bit strange. The configuration we want to have here needs the following:

  • monitor local log messages
  • monitor local textfile-logs
  • forward all log data via TCP syslog

Continue reading on Step 4

Step 5:

This is rather just a note on other devices and appliances that are not yet covered. Often devices (like routers, firewalls or switches) have the possibility to send log data to a syslog server. Usually, this only works via UDP and some machines are even capable of sending logs via TCP. Since there is such a huge mass of different systems and devices, we cannot give correct steps for everything. Please refer to the user manual that came with the device or contact the manufacturer for information about how to configure the devices for sending syslog.

If you already know how to configure it, let it send it’s log messages to the central server on port 514 for UDP or (if possible) port 10514 for TCP.

Conclusion

We now have a setup that stores all the log data that machines on the network will generate to a central database for storage. Most of the clients on the network send their log data securely via TCP to the central log storage. Some machines were rather quick to set up, others needed more effort. Usually the effort rises with the amount of features that will be used. Thus we thought of this setup to be quite simple.

If you have any remarks or ideas of improvement for this guide, please let us know and send an email to info@adiscon.com.

What is the log file format for generating reports with Monilog for MonitorWare Agent, WinSyslog and EventReporter?

What is the log file format for generating reports with Monilog for MonitorWare Agent, WinSyslog and EventReporter?

Created 2006-06-20 by Timm Herget

I am using MonitorWare Agent 4.x / EventReporter 8.x / WinSyslog 7.x
What are the settings that I would have to make such that the log file is generated in a format that is acceptable to Monilog?

There are a few things that have to be set in order to generate a log file that would be read by Monilog for Reporting purposes. Your settings would vary over:

  • 1. SETP Protocol
  • 2. Syslog Protocol

1. Report Settings for SETP

At Sender’s Side:

1.1. Event Log Monitor Setting

Use the default format of the EventLog Monitor’s. Your settings should be like this:


Figure 1: Event Log Monitor Service Settings

1.2. Forward Via SETP Settings

Use the default formtat of the “Forward via SETP” actions. In this example we assume that all messages should be forward via SETP to the central SETP Server at 172.16.100.8. Please replace this value per your environment.


Figure 2: Forward Via SETP Action Settings

At Reciever’s Side:

1.3. SETP Listener Settings

Use the default format of the SETP Server. Your settings should be like this:


Figure 3: SETP Listener Service Settings

1.4. Write to File Action Settings

In Write to File Action, Choose “Custom” from the “File Format” combo box. You would see that the “Custom Line Format” has been enabled. From the “Insert” menu entry select “Replace with Monilog Format“. Your settings should be like this:


Figure 4: Write to File Action Settings

With the above mentioned settings, Monilog will successfully generate the report on the log file that has been generated.

2. Report Settings for Syslog

At Sender’s Side:

2.1. Forward via Syslog Settings

In Forward via Syslog Action, you would see a “Message Format” option. From the “Insert” menu entry select “Replace with Monilog Format“. In this example we assume that all messages should be forward via Syslog to the central Syslog Server at 192.168.141.10. Please replace this value per your environment. Please Note: It is very important that you uncheck the “Add Syslog Source when forwarding to other Syslog servers” Option. Your settings should be like this:


Figure 5: Forward via Syslog Action Settings

At Reciever’s Side:

2.2. Syslog Listener Settings

Please note that the “Enable RFC 3164 Parsing” should be checked. Your settings should be like this:


Figure 6: Syslog Listener Settings
2.3. Write to File Action

Simply add a write to the file action and bind this RuleSet to the service. Do not chnage the default settings of this action!


Figure 7: Write to File Action Settings

With the above mentioned settings, Monilog will successfully generate the report on the log file that has been generated.

Can Event Reporter work with custom event logs / evt-files?

Can Event Reporter work with custom event logs / evt-files?

Created 2006-02-15 by Timm Herget

There are 2 FAQ Articles available regarding this question because it is different if you want to monitor custom event logs or custom *.evt files. Please see the links below for further information about this:

How do I Update filters for MonitorWare Agent?

How do I Update filters for MonitorWare Agent?

Article created 2005-04-04 by
Hamid Ali Raja
.

2. In order to update a filter it’s necessary that you have a previously saved configuration in
which you had applied filters. Click here
if you wish to learn “How to add filters for MonitorWare Agent?”

Note:String comparison in Filter Conditions are “Case Sensitive”. For example, if the
Source System name is “ws01” and you had written “WS01” while applying the filter, then this filter
condition would “NEVER” evaluate to True! Please double check before proceeding further!

How to Update Filters?

1. Lets say that initially we were interested in getting an e-mail alert in a given time period
for the following filter condition:

( (Event ID is 500 OR 1000 OR 2000 OR 3000) ) AND ( FromHost is not equal to WS01 ) )

AND

( ( Event Source is equal to Security ) OR ( Priority is greater than 5 ) )

And the filter form looked like this:

2. Lets assume that you wish to update this filter condition string to this now:

( ( Event ID is not equal 500 OR 1000 OR 2000 OR 3000) ) AND ( FromHost is not equal to WS01 ) )

OR

( ( Event Source is equal to Security ) OR ( Priority is greater than 5 ) )

You would have to follow the following steps in order to accomplish this.

3. We need the Boolean “OR” operator in the top-level node for the above said filter condition,
not the default “AND”. Thus, we need to change the Boolean operator. There are different ways to do
this. Either double-click the “AND” to cycle through the supported operations or select it and
click “Change Operator”. In any way, the Boolean operation should be changed to “OR”. This can be
seen in the screen shot below:

We will be working on this part of the filter condition.

( ( Event ID is not equal 500 OR 1000 OR 2000 OR 3000) ) AND ( FromHost is not equal to WS01 ) )

4. In order to update the actual values of the Event ID, select each of the filter. A small
dialog opens at the bottom of the screen and update the required values. In our sample, these are
Event ID 500, 1000, 2000, and 3000.

5. Click on the filter property “Event ID”, from the “Compare Operation” combo box, select “is not
equal”. Repeat this step for the next three filters. When you have made the updates, you screen
should look as follows:

6. Don’t forget to save the settings by clicking the (diskette-like) “Save” button. This procedure
completes the updation of the filter form. Once done your configuration looks like the following:

7. Last, save the changes if you haven’t done it before and then restart the MonitorWare /
WinSyslog or EventReporter service.

MonitorWare / WinSyslog or EventReporter cannot dynamically read changed configurations. As
such,it needs to be restarted after such changes.

How do I Delete filters for MonitorWare Agent 3.0?

How do I Delete filters for MonitorWare Agent 3.0?

Article created 2005-04-04 by
Hamid Ali Raja
.

In order to update a filter it’s necessary that you have a previously saved configuration in
which you had applied filters. Click here
if you wish to learn “How to add filters for MonitorWare Agent?”

Note: String comparison in Filter Conditions are “Case Sensitive”. For example, if the
Source System name is “ws01” and you had written “WS01” while applying the filter, then this filter
condition would “NEVER” evaluate to True! Please double check before proceeding further!

How to Delete Filters?

1. Lets say that initially we were interested in getting an e-mail alert in a given time period
for the following filter condition:

( (Event ID is 500 OR 1000 OR 2000 OR 3000) ) AND ( FromHost is not equal to WS01 ) )

AND

( ( Event Source is equal to Security ) OR ( Priority is greater than 5 ) )

And the filter form looked like this:

2. Lets assume that you wish to delete some filter so the filter condition looks like:

( ( Event ID is not one of (500,1000,2000,3000) ) AND ( FromHost is not equal to WS01 ) )

You would have to follow the following steps in order to accomplish this.

3. There are two ways to accomplish this scenario. You can either delete the filters one-by-one
or you can delete the whole “OR” operator. In this sample we guide you how to do these.

Deleting Filters One by One

4. This approach is recommended when you want to retain some part of the filter condition and to
delete some part of the fiter in a more complex filter condition. Right Click on the filter property
“Syslog Priority”, a pop up menu appears. Select delete from the menu.

When you have deleted the filter, your screen should look as follows:

5. Right Click on the filter property “Event Source”, a pop up menu appears. Select delete from
the menu.

When you have deleted the filter, your screen should look as follows:

6. Right click on the lower OR. a pop up menu appears. Select delete from the menu.

When you have deleted the OR operation, your screen should look as follows:

Don’t forget to save the settings by clicking the (diskette-like) “Save” button.

Deleting Filters Completely in a Single Selection

7. This approach is recommended when you don’t need the entire part of the filter condition.
Right click on the lower OR. a pop up menu appears. Select delete from the menu.

This process deletes the whole lower “OR” along with the filter conditions. When you have deleted
the OR operation, your screen should look as follows:

Don’t forget to save the settings by clicking the (diskette-like) “Save” button.

8. Last, save the changes if you haven’t done it before and then restart the MonitorWare Agent service.

MonitorWare Agent cannot dynamically read changed configurations. As
such,it needs to be restarted after such changes.

How do I Add filters for MonitorWare Agent?

How do I Add filters for MonitorWare Agent?

Article created 2005-04-04 by
Hamid Ali Raja
.

Once you go to start -> programs -> MonitorWare -> MonitorWare Client to run the program, you see a screen-shot similar to the one below:

Facility Required

Email alert

Conditions Applicable

Email Alert should be generated on events with ( (Event ID is 500 OR 1000 OR 2000 OR 3000) ) AND ( FromHost is not equal to WS01 ) )
AND( ( Event Source is equal to Security ) OR ( Priority is greater than 5 ) ), all other messages should be written into a text file.

Filter Processing Steps

  • Rule 1: Looks for the filter conditions stated above and makes sure that they are reported only once within a given period. Later on when the required filter condition(s) is evaluated to true,
    an e-mail alert is generated.
  • Rule 2: Processes all other incoming message and log them into text file.

Important Note: String comparison in Filter Conditions are “Case Sensitive”!. For example, if the
Source System name is “ws01” and you had written “WS01” while applying the filter, then this filter
condition would “NEVER” evaluate to True! Please double check before proceeding further!

Step 1 – Create a Syslog Server

1. In the configuration program, right click on Running Services. A menu is opened up, select
“Add Service”. Choose “Syslog Server”. Once done it looks like as below:

Once you click on the “Syslog Server” a dialog box similar to the one displayed pops up:

In this tutorial first we create the service and then we would make the required Rule Set.
So we choose the “Create Service” option. You can opt for otherwise.

Once you have done so, a new wizard starts.

2. You can use either the default name or any other you like. I use “My Syslog
Server” in this sample. Leave the “Use default settings” selected and
press “Next”.

3. As we have used the default settings, the wizard immediately proceed with step 3, the
confirmation page. Press “Finish” to create the service. The wizard completes and returns
to the configuration client.

4. You see the newly created service beneath the “Services” part of the tree
view. To check its parameters, select it:

As you can see, the service has been created with the default parameters. Please note that
there is no rule set bound to this service.

Step 2 – Create a Rule Set for Email Alert Generation and File Logging

3. Define a new Rule set, right click
“Rule set”. A pop up menu appears. Select “Add Rule set” from this
menu. On screen, it looks as follows:

4. Then, a wizard starts. Change the name of the rule to whatever name you like. We use
“Email Alert Generation & File Logging” in this example. The screen looks as follow:

Click “Next”. A new wizard page appears.

5. Select only “Send Email”. Do not select any other options for this sample. Also, leave the
“Create a Rule for each of the following actions” setting selected. The screen looks as
follow:

6. Click “Next”. You see a confirmation page. Click “Finish” to create
the Rule set.

7. As you can see, the new Rule set “Email Alert Generation & File Logging” is
present. We would create the “File Logging” Rule later on. Please expand the Rule Set in the tree
view until the action level of the “Send Email” Rule and select the “Send
Email” action to configure.

8. I have used factual values in the sample. In this sample I assume that the Mail Server IP
address is 192.168.0.1. The Sender and Recipient email addresses are “sender@yourdomain.com” and
“admin@yourdomain.com” respectively. Please replace these values and configure it according to your
environment.

9. Once the “Send Email” settings are configured, we setup the filter condition. The Filter
Condition would be something like the one below:

( (Event ID is 500 OR 1000 OR 2000 OR 3000) ) AND ( FromHost is not equal to WS01 ) )

AND

( ( Event Source is equal to Security ) OR ( Priority is greater than 5 ) )

10. Click on the filter condition of the “Send Email” Rule to set up the filter condition.

11. Right click on the AND button. A pop up menu appears. Select Add Operation and then choose
the “AND” Operator. Your filter condition look like this:

Once done, repeat the same process again. But this time Select the “OR” Operator. “AND” or “OR”
Operator are at the same level. Your filter condition look like this:

12. Select the lower AND from the tree view and right click on the AND button. Choose “Add
Operation” from the pop up menu. Then select the OR operator. This is done to cover this part of the
filter condition “(Event ID is 500 OR 1000 OR 2000 OR 3000)”.

Right Click on the OR button. Click on the “Add Filter” from the pop up menu. Or you can use the
Add Filter Button. Select “Event Log Monitor” and then “Event ID”. This can be seen in the screen
shot below:

13. I prefer to add all four Event ID’s property filters first and later on change the
Event ID’s to the actual values in the sample. When you have added them, it should look as
follows:

14. In order to enter the actual values, select each of the four filters. A small dialog opens
at the bottom of the screen. There you enter the values you are interested in. In our sample, these
are Event ID 500, 1000, 2000, and 3000. As we are only interested in exactly these values, we do a
comparison for equality, not one of the other supported comparison modes. When you have made the
updates, you screen should look as follows:

15. Right click on the lower AND in the tree view (under which you want to add another condition
now) and click on the “Add Filter” from the pop up menu. Or you can use the Add Filter Button.
Select “General” and then “Source”.

Once the filter is added, from the “Compare Operation” combo box, select “is not equal” and
then set the value as “WS01”. When you have made the updates, you screen should look as
follows:

16. So far we have accomplished this part of the filter conditions.

( (Event ID is 500 OR 1000 OR 2000 OR 3000) ) AND ( FromHost is not equal to WS01 ) )

AND

We work on the second part of the filter condition in the upcoming step i.e. on the
following filter:

( ( Event Source is equal to Security ) OR ( Priority is greater than 5 ) )

17. Select the lower OR from the tree view and right click on the OR button. Click on the “Add
Filter” from the pop up menu. Or you can use the Add Filter Button. Select “Event Log Monitor” and
then “Event Source”. This can be seen in the screen shot below:

Once the filter is added, from the “Compare Operation” combo box, select “is equal” and
then set the value as “Security”. When you have made the updates, you screen should look as
follows:

18. Select the lower OR from the tree view and right click on the OR button. Click on the “Add
Filter” from the pop up menu. Or you can use the Add Filter Button. Select “Syslog” and
then “Priority”. This can be seen in the screen shot below:

Once the filter is added, from the “Compare Operation” combo box, select “greater than” and
then set the value as “5”. When you have made the updates, you screen should look as
follows:

Don’t forget to save the settings by clicking the (diskette-like) “Save” button.

19. We have now selected all events that we would like to get email alerts. In order to prevent
this rule from firing too often we would enable “Minimum Wait Time”. This makes sure that (the
Syslog Facilities defined in the filter condition) in “Send Email” Rule are only forwarded once
within a specified period. Click on the Filter Conditions you would see an option called as “Global
Condition”. Select the “Minimum Wait time” and configure it. In this sample I have set the “Minimum
Wait time” to 1800 Seconds (i.e. 30 minutes). Please replace this value as you like it.

Click
here
to know the difference between the Fire only if Event occurs and Minimum Wait Time.

20. We are almost done! Now we have to create a Rule for File Logging. Please note that we
are creating a “Rule” and not a “Rule Set”!
The reason is that each Rule Set can have as many
Rules as you like and only one Rule Set can be associated with any service at a time (i.e My Syslog
Server in this case). Each Rule in turn can have one filter condition but as many actions as you
like. All the Rules that are part of a specific rule set are executed in a sequential manner.

In order to create a new Rule, right click on “Email Alert Generation & File Logging”
RuleSet, and select “Add Rule”. The screen looks as follow:

You can use either the default name or any other you like. I use “File Logging” in
this sample.

21. You would see that the “File Logging” Rule has been created. If you expand the Rule in the
tree view until the action level of the “File Logging” Rule, you would notice that the
“File Logging Action” is missing. This is by default. We would create this action in the next
coming steps.

22. In order to create a “File Logging” Action, right click on the Action of the “File Logging”
Rule. A pop up menu appears. Select “Add Action.” Then opt for “Write To File”. The screen looks as
follow:

23. Then, a wizard starts. Change the name of the action to whatever name you like. We use
“Write to File” in this example. Leave the default settings. The screen looks as
follow:

Click “Next”. You see a confirmation page. Click “Finish” to create the
action.

24. Please select the “Write to File” action to configure.

25. The default File Path and File Base Name is “C:\temp” and “MonitorWare”. I am
using these values in this sample. You can configure it according to your environment.

26. Leave the filter condition of “File Logging” Rule as it is. Global Conditions apply to the
rule as whole. They are automatically combined with a logical AND with the conditions in the filter
tree. The reason behind doing this is to processes all other incoming message and getting them
logged into the text file.

27. Last, save the changes if you haven’t done it before and then restart the MonitorWare Agent service. This procedure completes the configuration of the Syslog
server.

MonitorWare Agent cannot dynamically read changed configurations. As
such,it needs to be restarted after such changes.

How do I Add filters for MonitorWare Agent, WinSyslog and EventReporter?

How do I Add filters for MonitorWare Agent, WinSyslog and EventReporter?

Article created 2004-07-15 by
Tamsila-Q-Siddique
.

Article updated 2006-06-19 by Timm Herget.

1. You would at least need the Basic Edition of MonitorWare Agent / WinSyslog / EventReporter for this scenario.

Please Note: We are using MonitorWare Agent in this guide whereas MonitorWare Agent is
superset of WinSyslog and EventReporter. So this guide is also applicable for WinSyslog and
EventReporter.

2. When the Configuration Program client is accessed select your language – in this example, I
use English, so it might be a good idea to choose English even if that is not your preference. You
can change it any time later, but using English makes it much easier to follow this guide here.
Once done you would see a screen-shot similar to the one below:

3. Lets assume that we are interested in getting an e-mail alert in a given time period for the
following filter condition:

( (Event ID is 500 OR 1000 OR 2000 OR 3000) ) AND ( FromHost is not equal to WS01 ) )

AND

( ( Event Source is equal to Security ) OR ( Priority is greater than 5 ) )

And you also want to log the rest of the messages into a text file. The filter process will now
basically work as follow (for details see steps below):

  • Rule 1: Finds the Filter condition stated above and makes sure it is only reported
    once within a given period. Later on when the required filter condition is evaluated to true,
    an e-mail alert is generated.
  • Rule 2: Processes all other incoming message and log them into text file.

Important note about Filter Condition

String comparison in Filter Conditions are “Case Sensitive”! For example, if the
Source System name is “ws01” and you had written “WS01” while applying the filter, then this filter
condition would “NEVER” evaluate to True! Please double check before proceeding further!

Step 1 – Create a Syslog Server

1. In the configuration program, right click on Running Services. A menu is opened up, select
“Add Service”. Choose “Syslog Server”. Once done it will look like as below:

Once you click on the “Syslog Server” a dialog box similar to the one displayed pops up:

In this tutorial first we will create the service and then we would make the required Rule Set.
So we choose the “Create Service” option. You can opt for otherwise.

Once you have done so, a new wizard starts.

2. You can use either the default name or any other you like. I will use “My Syslog
Server” in this sample. Leave the “Use default settings” selected and
press “Next”.

3. As we have used the default settings, the wizard will immediately proceed with step 3, the
confirmation page. Press “Finish” to create the service. The wizard completes and returns
to the configuration client.

4. You will see the newly created service beneath the “Services” part of the tree
view. To check its parameters, select it:

As you can see, the service has been created with the default parameters. Please note that
there is no rule set bound to this service.

Step 2 – Create a Rule Set for Email Alert Generation and File Logging

3. Define a new Rule set, right click
“Rule set”. A pop up menu will appear. Select “Add Rule set” from this
menu. On screen, it looks as follows:

4. Then, a wizard starts. Change the name of the rule to whatever name you like. We will use
“Email Alert Generation & File Logging” in this example. The screen looks as follow:

Click “Next”. A new wizard page appears.

5. Select only “Send Email”. Do not select any other options for this sample. Also, leave the
“Create a Rule for each of the following actions” setting selected. The screen looks as
follow:

6. Click “Next”. You will see a confirmation page. Click “Finish” to create
the Rule set.

7. As you can see, the new Rule set “Email Alert Generation & File Logging” is
present. We would create the “File Logging” Rule later on. Please expand the Rule Set in the tree
view until the action level of the “Send Email” Rule and select the “Send
Email” action to configure.

8. I have used factual values in the sample. In this sample I assume that the Mail Server IP
address is 192.168.0.1. The Sender and Recipient email addresses are “sender@yourdomain.com” and
“admin@yourdomain.com” respectively. Please replace these values and configure it according to your
environment.

9. Once the “Send Email” settings are configured, we will setup the filter condition. The Filter
Condition would be something like the one below:

( (Event ID is 500 OR 1000 OR 2000 OR 3000) ) AND ( FromHost is not equal to WS01 ) )

AND

( ( Event Source is equal to Security ) OR ( Priority is greater than 5 ) )

10. Click on the filter condition of the “Send Email” Rule to set up the filter condition.

11. Right click on the AND button. A pop up menu appears. Select Add Operation and then choose
the “AND” Operator. Your filter condition will look like this:

Once done, repeat the same process again. But this time Select the “OR” Operator. “AND” or “OR”
Operator are at the same level. Your filter condition will look like this:

12. Select the lower AND from the tree view and right click on the AND button. Choose “Add
Operation” from the pop up menu. Then select the OR operator. This is done to cover this part of the
filter condition “(Event ID is 500 OR 1000 OR 2000 OR 3000)”.

Right Click on the OR button. Click on the “Add Filter” from the pop up menu. Or you can use the
Add Filter Button. Select “Event Log Monitor” and then “Event ID”. This can be seen in the screen
shot below:

13. I prefer to add all four Event ID’s property filters first and later on change the
Event ID’s to the actual values in the sample. When you have added them, it should look as
follows:

14. In order to enter the actual values, select each of the four filters. A small dialog opens
at the bottom of the screen. There you enter the values you are interested in. In our sample, these
are Event ID 500, 1000, 2000, and 3000. As we are only interested in exactly these values, we do a
comparison for equality, not one of the other supported comparison modes. When you have made the
updates, you screen should look as follows:

15. Right click on the lower AND in the tree view (under which you want to add another condition
now) and click on the “Add Filter” from the pop up menu. Or you can use the Add Filter Button.
Select “General” and then “Source”.

Once the filter is added, from the “Compare Operation” combo box, select “is not equal” and
then set the value as “WS01”. When you have made the updates, you screen should look as
follows:

16. So far we have accomplished this part of the filter conditions.

( (Event ID is 500 OR 1000 OR 2000 OR 3000) ) AND ( FromHost is not equal to WS01 ) )

AND

We will work on the second part of the filter condition in the upcoming step i.e. on the
following filter:

( ( Event Source is equal to Security ) OR ( Priority is greater than 5 ) )

17. Select the lower OR from the tree view and right click on the OR button. Click on the “Add
Filter” from the pop up menu. Or you can use the Add Filter Button. Select “Event Log Monitor” and
then “Event Source”. This can be seen in the screen shot below:

Once the filter is added, from the “Compare Operation” combo box, select “is equal” and
then set the value as “Security”. When you have made the updates, you screen should look as
follows:

18. Select the lower OR from the tree view and right click on the OR button. Click on the “Add
Filter” from the pop up menu. Or you can use the Add Filter Button. Select “Syslog” and
then “Priority”. This can be seen in the screen shot below:

Once the filter is added, from the “Compare Operation” combo box, select “greater than” and
then set the value as “5”. When you have made the updates, you screen should look as
follows:

Don’t forget to save the settings by clicking the (diskette-like) “Save” button.

19. We have now selected all events that we would like to get email alerts. In order to prevent
this rule from firing too often we would enable “Minimum Wait Time”. This will make sure that (the
Syslog Facilities defined in the filter condition) in “Send Email” Rule are only forwarded once
within a specified period. Click on the Filter Conditions you would see an option called as “Global
Condition”. Select the “Minimum Wait time” and configure it. In this sample I have set the “Minimum
Wait time” to 1800 Seconds (i.e. 30 minutes). Please replace this value as you like it.

Click
here
to know the difference between the Fire only if Event occurs and Minimum Wait Time.

20. We are almost done! Now we have to create a Rule for File Logging. Please note that we
are creating a “Rule” and not a “Rule Set”!
The reason is that each Rule Set can have as many
Rules as you like and only one Rule Set can be associated with any service at a time (i.e My Syslog
Server in this case). Each Rule in turn can have one filter condition but as many actions as you
like. All the Rules that are part of a specific rule set are executed in a sequential manner.

In order to create a new Rule, right click on “Email Alert Generation & File Logging”
RuleSet, and select “Add Rule”. The screen looks as follow:

You can use either the default name or any other you like. I will use “File Logging” in
this sample.

21. You would see that the “File Logging” Rule has been created. If you expand the Rule in the
tree view until the action level of the “File Logging” Rule, you would notice that the
“File Logging Action” is missing. This is by default. We would create this action in the next
coming steps.

22. In order to create a “File Logging” Action, right click on the Action of the “File Logging”
Rule. A pop up menu appears. Select “Add Action.” Then opt for “Write To File”. The screen looks as
follow:

23. Then, a wizard starts. Change the name of the action to whatever name you like. We will use
“Write to File” in this example. Leave the default settings. The screen looks as
follow:

Click “Next”. You will see a confirmation page. Click “Finish” to create the
action.

24. Please select the “Write to File” action to configure.

25. The default File Path and File Base Name is “C:\temp” and “MonitorWare”. I am
using these values in this sample. You can configure it according to your environment.

Please note: If the configured directories is missing then the latest version of the
MonitorWare Agent, WinSyslog and EventReporter have the capability to create the missing
directories.

26. Leave the filter condition of “File Logging” Rule as it is. Global Conditions apply to the
rule as whole. They are automatically combined with a logical AND with the conditions in the filter
tree. The reason behind doing this is to processes all other incoming message and getting them
logged into the text file.

27. Last, save the changes if you haven’t done it before and then restart the MonitorWare /
WinSyslog or EventReporter service. This procedure completes the configuration of the Syslog
server.

MonitorWare / WinSyslog or EventReporter cannot dynamically read changed configurations. As
such,it needs to be restarted after such changes.

Does UNC Pathes work for WinSyslog, EventReporter and MonitorWare Agent ?

Does UNC Pathes work for WinSyslog, EventReporter and MonitorWare Agent ?

Created 2003-11-21 by Tamsila-Q-Siddique.

When UNC (\\severname\sharename\path) was given in the file path (in your defined “Write to File” action) Winsyslog, Eventreporter and MonitorWare Agent didn’t work?

Yes, UNC works for Winsyslog, Eventreporter and MonitorWare Agent, but due to Windows design you must meet some pre-requisites to enable them to actually work. They do NOT work in the default configuration. This is because WinSyslog, EventReporter and MonitorWare Agent are installed to be running under the Windows local system account. This account is restricted from network I/O by Windows design. To use a UNC name from a service (like WinSyslog, EventReporter and MonitorWare Agent ), please do the following:

  1. Create an account that has permissions to actually access the UNC share
  2. Then, you must grant it “log on a service” rights so that the service can use it.
  3. Also make sure that it has permissions to access all local resources needed.
  4. Then, go to Windows Services Manager and change the service account to the new one.
  5. Now you are able to access the UNC share.

Migrating the Rules from EventReporter to MonitorWare Agent

Migrating the Rules from EventReporter to MonitorWare Agent

Created 2003-07-22 by Wajih-ur-Rehman

How can I migrate the rules that I have defined in EventReporter to MonitorWare Agent?

This FAQ is only applicable to those who are using EventReporter 6.x and MonitorWare Agent 1.2 or higher. Follow the steps below:

  1. Click on Start and go to run. Type regedit.
  2. Browse to HKEY_LOCAL_MACHINE\SOFTWARE\Adiscon\EventReporter\RuleSets
  3. Export the above mentioned key and save it somewhere.
  4. Open the file created in the above step with notepad.
  5. Replace all occurances of EventReporter with MonitorWare\Agent. (Simply find and replace all from the Edit menu of notepad)
  6. Save the file and close it.
  7. Double click on this registry file.
  8. It will migrate all the rules from EventReporter to MonitorWare Agent and will also over-ride the previous rules defined for MonitorWare Agent.