FAQ Archives - Page 4 of 8 - MonitorWare Agent

How can I make Event ID part of the actual Syslog message while forwarding to a Syslog Server?

Created 2004-06-24 by Tamsila-Q-Siddique.

We are using MonitorWare Agent / EventReporter to forward Windows Event logs to a Syslog Server. The resulting syslog message doesn’t have the Event IDs in them. How can we make Event ID part of the actual Syslog message?

One of the proposed solution would be to forward the Event Log messages using SETP Server. The resulting message would have the Event IDs in them. Click here to know the difference between SETP and Syslog!

But there are other ways to include the Event ID even without using SETP (which is obviously not an option if you would like to send to a non-Adiscon backend). So you can do one of the following:

Use XML Format – This is the best recommended option. With XML format, you get everything about this event and you get it in a well-structured way. It includes all of the properties described in our Event Properties reference. To enable XML format, simply check “Use XML to Report” in the “Forward Syslog” Action.
Use Custom Format – In the “Forward Syslog” action, you can specify your own custom format in the “Message Format” text box. By default it is set to %msg%, but you can include whatever you like. Use the “Insert” link to do this (or simply type it)! Be sure to read the Property Replacer” documentation to see the full power. This option is a good one, especially if you intend to parse the data… because *you* can exactly specify what you would like to see.
Use MoniLog Format – This is our former legacy format. It includes a bunch of useful information, but it has a number of anomalies, which might hit you in few cases when parsing. We do not recommend it, but if you would like to use it, you can select the “Insert” link in the “Forward Syslog” action properties. Then, select “Replace with MoniLog Format”. It will generate a custom format of the type given below. Again, we do not recommend this, but it is a way.## %severity% %timereported:::uxTimeStamp%: %source%/%sourceproc% (%id%) – “%msg%” ##
Change Event Log Monitor Settings – You could also change the Event Log Monitor itself to generate the legacy format. Then, you do not need to change the “Forward Syslog” action’s settings. The big drawback is that now the Event Log Monitor does emit an old format, which is not meant to be processed by any other MonitorWare product. If you just use the product as a back-end for your own front-end, this is not an issue. Anyhow, we still recommend to go for approach #3 instead of this. If you absolutely want to do it this way, this is how it is done:
Go to the Event Log Monitor properties. Click on the “Advanced Options” button. Check the “Use Legacy Format” checkbox. This will enable some other checkboxes. Review the options to see which of these you want.

We have provided the options at hand. We *strongly* recommend to go for either option 1 or 2. If you choose option 3 or 4, you can receive a parsing error from time to time. However this has been solved after introducing the newer formats.

As a general hint, you may want to take into account that Windows Event Log messages can become rather lenghty. They often go over the syslog RFC size of 1024 bytes. If you run a non-Adiscon Syslog Server, you need to ensure it can receive such large messages, because otherwise some information might be missing (with option 2, you can customize what you would like to be missing in such cases – by limiting the size of %msg% via the property replacer).

System Requirements for Monitoring NetWare Files

Created on 2003-08-08 by Rainer Gerhards.
Updated on 2004-06-16 by Tamsila-Q-Siddique.

MonitorWare Agent needs to access files on NetWare via an UNC share. It is known that some versions of the Novell and/or Microsoft software have some issues with services accessing files on a UNC share on NetWare.

Microsoft acknowledges that there is a problem in Windows 2000 without any service pack. For more information, go to:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;250502

However, we had the same problem with Windows 2000 SP1. It was resolved when SP3 was installed.

So as a general advice, we strongly recommend using the latest Microsoft service pack available for your operating system. If you are using the Novell Client, you should also use the most recent one.

Why does the File Monitor Service experience difficulties when accessing files located on a NetWare Server?

Created 2004-06-16 by Tamsila-Q-Siddique.

I am attempting to watch files on a NetWare Server. On my W2K machine MonitorWare Agent can monitor files on itself wonderfully but it will not monitor files on the NetWare Server. We are receiving your error code 1707 when attempting to connect via your connection menu item. What to do?

This is because our MonitorWare Line of Products (e.g. MonitorWare Agent) are installed to be running under the “Windows Local System Account”. This account is restricted from network I/O by Windows design.

We have also seen that the NetWare Client under Windows 2000 seems to have big issues with services. Click here to know the recommended System Requirements for Monitoring NetWare Files.

Using the Microsoft Client – and not the Novell one – will most likely solve any issues. You can verify if it is a client issue, by running the MonitorWare Agent in the fore ground, and not as a service. This was specifically added as a work-around for Novell related issues (we have really, really pinpointed that this is a Novell / Microsoft issue and not our software – lot’s of other services are experiencing similar problems). The Novell issue is only with services – as soon as you run the MonitorWare Agent in a DOS box in an interactive session, all troubles disappear.

Using a UNC share to monitor a log file can be used as a work around as well.

Why do I get “Type Mismatch” or “Page Not Found” Error when using the Online Web Access Viewer?

Created 2004-06-15 by Tamsila-Q-Siddique

I have verified all the settings in the “ConfigSettings.asp” page and it looks fine. All Permissions are granted. But when I access the Online Web Access Viewer the “Type Mismatch” or “Page Not Found” error is displayed. What to do?

You have probably “Disabled Session State”. To run the Winsyslog Web Access / MonitorWare Web Access you must enable the Session State. The reason has been documented in the Microsoft Knowledge Base Article – 242425.

Why does the Port Probe Service Fails?

Created 2004-06-15 by Tamsila-Q-Siddique

I have configured a PortProbe Service to check for activity of the SMTP Service on our mail server. MonitorWare Agent has full Internet access and I am not using any proxy servers or DNS-aliases for the mailserver. The PortProbe service is running but it does not execute the action configured (i.e. when target port can’t be connected). What am I doing wrong?

If the PortProbe Service is running but the action configured is not executed then it can be one of the following reasons:

On the PortProbe Service properties window, there is an option called “Generate an event if PortProbe was successfull”. Kindly uncheck this option, and it will only generate an event if the target port can not be connected.
Your mail server is protected by a Firewall.
You may have a personal Firewall running that is blocking MonitorWare Agent to reach the mail server.

How to forward the messages with the original IP in the header instead of sender’s IP address?

Created 2004-06-14 by Tamsila-Q-Siddique

We are forwarding some of Syslog messages using WinSyslog / MonitorWare Agent, but when the message shows up at the other location, it appears with the forwarding servers IP address instead of the originating devices IP address in the header. Is there a way to forward the messages with the original IP in the header instead?

What you experience is actually a shortcoming in the “Syslog Protocol” itself. The address is taken from the sender, so when a message is relayed, the sender’s address changes. However, there are a number of cures, each depending on your needs, configuration and eventually the edition to use.

If your devices are RFC 3164 compliant (many are unfortunately not), you can take the hostname from the Syslog header. There is an option in MonitorWare Agent / WinSyslog “RFC 314 parsing” which you can enable to get hold of this.
Please note that it is disabled by default because non-compliant devices can really create very strange values in the header fields.
You can use Adiscon’s proprietary SETP protocol, which solves this issue (this may require an edition upgrade). Click here to know the difference between SETP and Syslog!
You can forward the message in “XML Format”. That will make it look strange, but you will receive all information. If you do machine parsing, the strangeness may not be an issue (if you work around it in your parser).
You can also enable the “Include Original Host” option in the Syslog forwarder, which will simply add a tag “FromHost: <ip>” at the beginning of the header.
Please note that this in itself is not RFC 3164 compliant.

Click on MonitorWare Agent and WinSyslog to see different editions of each product.

How to avoid “file already in use” error in the Online Web Access Viewer?

Created 2004-05-27 by Michael Meckelein.

You often get an error “file already in use” if you use the Online Web Access Viewer together with a MS Access database. The message you get look like this one:

AccessMicrosoft OLE DB Provider for ODBC Drivers error ‘80004005’
[Microsoft][ODBC Microsoft Access Driver] Could not use ‘(unknown)’; file already in use.
/winsyslog/EventsOnline.asp, line 388

This is a well-known performance issue of the MS Access database. It is highly recommended not to use this database for production environments. You can switch to either MySQL (which is free) or SQL Server. This will solve the problem of web access too and will enhance the efficiency at the same time.

However, to avoid the error you can try the following:

Right click on the folder in which the MS access database is located and select Properties.
Be sure that the Read-only property is unchecked.
Switch to the Security tab in the properties windows.
Click the Add button to open the Select Users or Groups window.
Select the user Internet Guest Account, click Add and confirm your selection with OK. (Note, the Internet Guest Account has typically the name IUSR_COMPUTERNAME)
Now you are back in the Properties window. Be sure that the new user is selected. Give the user Write permissions by activating the checkbox.

If you have any questions on these pages, please email us at support@adiscon.com.

Why does the Online Web Access Viewer displays wrong page reference?

Created 2004-04-23 by Tamsila-Q-Siddique

I am using MySQL as the underline database. The online web access viewer only displays 1 page of records even though there are 100 or more records. The page reference in the upper right hand corner says “Page 1 of 0”?

Please do the following:
There is a Boolean in the Config file “bUsingMysql” (without quotes). Set this Boolean to “true” (without quotes) as following “bUsingMysql = true” (without quotes).

Forwarding IIS Logs to a central File

Created 2004-04-02 by Timm Herget and Rainer Gerhards.

I would like to centralize IIS log files to a central log server. The files on that central server should be in the exact same format they are on the IIS machines.

This can be done with MonitorWare Agent 2.0 and above. Let’s look into the theory first: If you would like to forward IIS log files AND have them in the same format at the receiving machine, you need to make some special settings.

First of all, please note that the file monitor, when set to “W3C log files”, is optimized to extract the properties from each log line, not to forward the log literally. If you would like to forward them literally, you need to make sure that the format is set to “Standard”, which will disable all W3C-log specific handling (that would otherwise disturb the result). The syslog tag is not needed here, so it should be totally removed.

We must ensure that the send syslog action does not alter this message content. As such, we must make sure that the “Add Syslog Source when Forwarding” setting is NOT activated.

Unfortunately, that will not eliminate the tag as such from the syslog message, but we can handle this with the property replacer. As of RFC 3164, the syslog tag will be present in the so-generated message. In fact, the message will be “: <ORIGINAL line W3C>” with <ORIGINAL line W3C> literally being the line taken from the W3C log. Effectively, we end up with two extra characters (“: “) at the beginning of the line. Thankfully, we can eliminate these with the property replacer (it is capable of providing substrings of event properties). The message is in the “msg” property. So “%msg:3%” is everything from the third character position up until the end of the line (end position is not specified and so “end of line” is the default). To use the property replacer, we must just the “Write to File” action with “Custom” file format. Then, we can enter an arbriatary string that shall be written to the file. In our case, we use “%msg:3%%$CRLF%”: this instructs the write to file action to first write the original file line and then a Windows newline sequence. The later is needed because it was stripped out by the file monitor.

This looks in the dialogs as follows:

1. Sender : Forward Via Syslog Settings

The “Add Syslog Source when …”-Checkbox MUST be unchecked.

Figure 1: Forward Syslog Action Settings

2. Sender : File Monitor Service Settings

Please note that the “Syslog Tag Value” Field MUST be empty (not even a space in it).

Figure 2: File Monitor Service Settings

3. Recipient: Syslog Listener Settings

Please note that the “Enable RFC 3164 Parsing” MUST be checked

Figure 3: Syslog Listener Service Settings

4. Recipient: Write to File Action Settings

The “File Path Name” Directory must be available, MonitorWare Agent will not create it if its not present.

The “File Format” MUST be set to “Custom”. The following custom line format MUST be used:

%msg:3%%$CRLF%

Figure 4: Write to File Action Settings

With the above settings the recipient MonitorWare Agent will successfully generate exact the same logfiles as the original ones are.

Sample Configurations

We have created some registry files for both the sender and the recipient server. If you download them, simply import them into the registry on the machine in question (if you system is a default-install, double-clicking the file is sufficient to do this). Be sure that the MonitorWare Agent client is closed while you do this. Please note that the sample configurations MUST be customized in order to make them work for you.

Sample configuration for MonitorWare Agent 2.0

Please note: samples may not work with versions other than the one specified in the download link!

How can I use a second sound card with the Play Sound Action?

Created 2004-03-25 by Tamsila-Q-Siddique

I have got a second sound card on my machine, how can I use it with the Play Sound Action?

PlaySounds action plays a sound on the local machine. It is possible to play wave files and some other “system” supported soundfiles. This does “NOT” include mp3 files. As MonitorWare Agent is usually running “as a” System service, there are some things which needed to be noted!

On machines with more then ONE sound card, the MonitorWare Agent Service will take the “first active installed soundcard as output device regardless what is configured”. This behaviour is further explained by Microsoft Q255584 (PlaySound API).

If there is a need to play the sound on another sound card instead of the first active installed one, then there are two workarounds:

Specify a “User Account” for the Service which has a local profile where the sound card you want to use configured as primary playback device.
Run the MonitorWare Agent Service in console mode using the “-r” switch under a user account which has the sound card you want to use configured as primary playback device.

By following the above mentioned work around, you would be able to use second sound card (even x sound cards where x is user configurable) with the Play Sound Action.

Please Note: The following things are user configurable in the Play Sound Action.

Filename of the Soundfile – A full path and filename to the wave file which will be played. If the sound file specified here cannot be found or is not a valid wave file, a simple system beep will be played.

Playcount: Default is 1 – can be configured up to 100 times.

Delay between the sound plays – Only useful if the sound is played more then once.Between each play, MonitorWare Agent will wait for this time until it plays the sound again.

Note: A prior running sound will be aborted when this action is executed.