FAQ Archives - Page 7 of 8 - MonitorWare Agent

How to create complex filter conditions?

Created 2003-05-13 by Usman Khawaja.

I would like to create some more complex filters by combining ANDs and ORs.

(condition “a” AND condition “b”)
OR
(condition “c” AND condition “d”)
OR
…
where “condition a” could be one of the choices like “syslog priority < 4 “, etc.

In order to create the above mentioned scenario, follow these steps:

First create a rule set and add rule to it. Click on the filter conditions of that rule set. You will see the default form for filter conditions. By default there is an AND condition set in the filter condition form. You can change that operator to OR/XOR/NOT/TRUE/FALSE by double clicking on the AND operator.
Now Click on the AND operator from the toolbar shown on right side of the filter conditions form (in MonitorWare agent) in order to AND the conditions a and b. right click on the AND operator (which you just added) and add filter conditions.
Now again click on the OR operator at the top and insert another AND operator from the tool bar. Follow the same process which you did in step 2, i.e. right click on the AND operator and add filter conditions c and d. You can create as many AND conditions as you like in order to implement the OR operator among them.

Please have a look at the picture below. It would give you better understanding of creating filter conditions for nested conditions.

Complex Filter Conditions.

Please note that this information is only applicable to WinSyslog 5.x and above, EventReporter 6.x and above and MonitorWare Agent 1.x and above.

Difference between ReceivedAt and DeviceReportedTime

Created 2003-05-10 by Wajih-ur-Rehman.

What is the difference between ReceivedAt and DevicedReportedTime?

I will explain you the difference by giving you two different scenarios:

Scenario 1: Using MonitorWare Agent as Event Log Monitor and Forwarding the data to another MonitorWare Agent using Syslog

In this case, the DeviceReportedTime is actually the time that is there in the Windows Event Log i.e. the time at which the message was written into the Windows Event Log. ReceivedAt time on the other hand is the time when the Syslog message is received at the Syslog Daemon, which in this case is the MonitorWare Agent.

Scenario 2: Using MonitorWare Agent as Event Log Monitor and Forwarding the data to another MonitorWare Agent using SETP

In this case, the DeviceReportedTime is once again the time that is there in the Windows Event Log i.e. the time at which the message was written into the Windows Event Log. ReceivedAt time, in this case, is the time at which the MonitorWare Agent picks up the data from the event log. Note that by design, SETP protocol doesn’t modifies the message as it is sent to the central daemon. So when the message receives at the central daemon, its ReceivedAt time stamp will not be changed. In other words, the ReceivedAt time stamp of any message would stay the same (i.e. the time when the event was read from the Windows Event Log)

MonitorWare Agent 4.x – Database Structure Advantages

Created 2003-05-05 by Wajih-ur-Rehman.
Last Updated 2006-06-21 by Timm Herget.

What are the advantages of this new Database Structure for MonitorWare Agent 4.x?

Since most of the important information about any event is present in the message content and since the new MonitorWare Agent parses out this information and stores them in the form of name value pairs in SystemEventsProperties Table, the biggest advantage of this new schema is the ability of defining more meaningful and powerful Filters. In addition to this, it will also give Adiscon an opportunity to generate more intelligent reports (for MonitorWare Console) for analysis purposes.

Numeric values for event severity levels

Created 2003-04-14 by Lutz Koch.

What are the numeric values for event severity levels?

The severity of an event describes the importance of an event. These severity levels are represented by numeric values. Those values are:

Severity	Numeric value
SUCCESS	1
ERROR	2
WARNING	4
INFORMATION	8
AUDIT_SUCCESS	16
AUDIT_FAILURE	32

70-417 pdf ,
352-001 pdf ,
300-209 pdf ,
220-902 pdf ,
LX0-103 pdf ,
LX0-104 pdf ,
VCP550 pdf ,
220-801 pdf ,
70-462 pdf ,
ADM-201 pdf ,
400-201 pdf ,
101 pdf ,
EX200 certification   ,
9A0-385 certification   ,
000-105 certification   ,
OG0-093 certification   ,
JN0-102 certification   ,
220-901 certification   ,
70-243 certification   ,
70-246 certification   ,
220-902 certification   ,
70-487 certification   ,
PEGACPBA71V1 certification   ,
640-916 certification   ,
MB2-704 certification   ,
300-209 certification   ,

How to set the Windows 2000 event log size?

Created 2003-04-14 by Rainer Gerhards.

I know that the Windows event log size settings are not optimal. So how can I change them and what are better values?

Indeed, the default settings are just 512 KB and overwrite after 7 days. While the 512 KB settings do not actually pose a problem the 7 day overwrite does. Effectively, this means that no new records will be added to the event log as long as records younger than 7 days fill up the log. They can not be overwritten with this setting. As such, the new ones are simply lost.

With MonitorWare Agent and EventReporter, event log records are quickly picked up from the Windows event logs and forwarded to a central server. As such, there is no concern with older records being overwirtten. For that reason, we recommend to set the log setting to “overwrite as needed”. Just as a general idea, we also recommend setting the log size to 4096 KB, as this allows for some local storage on the system in question (but this is not critical).

If you would like to see how these settings can be made, you can watch a short video sequence demoing this.

MonitorWare Agent as Syslog and SETP Server

Created 2003-04-04 by Wajih-ur-Rehman.

If I am forwarding the data from different MonitorWare Agents via SETP to a central MonitorWare Agent acting as a SETP Server, will I be able to send Syslog messages to this central server too?

Yes you will be able to send the Syslog Messages to the same MonitorWare Agent as well. The reason is that MonitorWare Agent has the capability of acting as a Syslog Server as well as the SETP Server simultaneously. So not only your Windows machines can forward the events via SETP protocol but also any other machine that generates syslog messages can forward the data using Syslog. Both kind of messages (SETP and Syslog) will be picked up by the Central MonitorWare Agent (but obviously you would need to configure it in such a way that it can do this)

Configurations for SETP and Syslog Server

Created 2003-04-04 by Wajih-ur-Rehman.

I want to have a MonitorWare Agent acting as a Central Server such that it can accept both SETP as well as Syslog Messages and log them to a database. What configurations should i make?

You will create the following configuration settings for MonitorWare Agent that will be acting as the central server for collecting all the messages:

Right click on “Services” node and add “Syslog Server”. A new node will be added under the Services node. Click on this newly added node and change the settings according to your requirements.
Right click on “Services” node and add “SETP Server”. A new node will be added under the Services node. Click on this newly added node and change the settings according to your requirements.
When you install MonitorWare Agent, it creates one RuleSet automatically. Right click on it, go to Rules and add a new Rule. You will see a new Rule under the Rule Set.
When you expand this newly created Rule, you will see two nodes under it. One is “Filter Condition” (by default, “No Filter” is selected.) and the other is “Actions”.
Right click on Actions, and add “Write to Database” action. and set the settings.
Go back to the Service that you created in Step 1 and Step 2 and make sure that the RuleSet under which you have defined your own Rule in step 3 is bound to both of these services.

Configurations for Forwarding the Events

Created 2003-04-04 by Wajih-ur-Rehman.

I have MonitorWare Agents running on various Windows Machines/Servers. I want to forward all the Windows Event Log messages to the central MonitorWare Agent. What configurations should i make?

For all the Window machines, which are forwarding the data to the central server, following should be the configurations for MonitorWare Agents running on them:

Right click on “Services” node and add “Event Log Monitor Service”. A new node will be added under the Services node. Click on this newly added node and change the settings according to your requirements.
When you install MonitorWare Agent, it creates one RuleSet automatically. Right click on it, go to Rules and add a new Rule. You will see a new Rule under the Rule Set.
When you expand this newly created Rule, you will see two nodes under it. One is “Filter Condition” (by default, “No Filter” is selected.) and the other is “Actions”.
Right click on Actions, and add “Send SETP” action. (You can also send via Syslog but SETP is recommended)
You will see a new node under the newly created node. Click on it and set the settings. Note that if you are interested in only specific events to be sent to the central server, you can define a Filter condition as well. With the current settings (no filter) all the events will be sent to the central server.
Go back to the Service that you created in Step 1 and make sure that the RuleSet under which you have defined your own Rule in step 2 is attached to this service. In other words, if you go to the properties of Event Log Monitor Service that you created in step 1, you will see a combo box at the bottom “Rule Set to use”. Make sure that the The Rule Set under which you have defined your own rule in step 2 is selected over there.

1V0-601 exam   ,
350-029 Study Guides   ,
AWS-SYSOPS exam   ,
EX300 exam   ,
70-487 test   ,
350-080 certification   ,
1Z0-144 pdf   ,
MB2-704 Study Guides   ,
HP0-S42 certification   ,
1Z0-061 pdf   ,
MB5-705 test   ,
70-488 dumps ,
VCP550 dumps ,
400-051 certification ,
ITILFND exam   ,
70-534 exam   ,
400-051 pdf   ,
70-486 exam   ,
300-135 certification   ,
300-206 dumps   ,
HP0-S42 dumps   ,
JN0-102 Exam   ,
70-463 dumps   ,
c2010-657 certification   ,
350-060 pdf ,
300-209 exam   ,
000-080 exam   ,
1V0-601 dumps   ,
9L0-012 test   ,
000-017 dumps   ,
70-346 exam ,
300-101 dumps   ,
1z0-808 Exam   ,
210-060 test ,
ICGB test ,
070-461 test   ,
300-135 exam   ,
MB6-703 pdf   ,
3002 test   ,
210-060 exam   ,
70-462 exam   ,
SY0-401 test   ,
70-534 exam ,
1Y0-201 pdf ,
N10-006 certification   ,
70-347 exam   ,
70-413 exam ,
AWS-SYSOPS test   ,
JK0-022 exam   ,

My license key seems not to work – what to do?

Created 2003-03-28 by Wajih-ur-Rehman.

I entered my license information through the client interface but it still says that it is a “trial version”. How to solve this problem?

Following are some of the reasons for your problem:

If your license name does not have a space at the end, make sure that you dont put the space at the end.
license name is case sensitive.
Your license name would be entered without the double quotes at the start and end.
We recommend that you copy the characters present within the double quotes of the license name that was sent to you (but without the double quotes) and paste it in the required field.

Even after going through the above 4 mentioned points, the problem is not solved, kindly send us your license information that you recieved.

Migrating the Rules from EventReporter to MonitorWare Agent

Created 2003-07-22 by Wajih-ur-Rehman

How can I migrate the rules that I have defined in EventReporter to MonitorWare Agent?

This FAQ is only applicable to those who are using EventReporter 6.x and MonitorWare Agent 1.2 or higher. Follow the steps below:

Click on Start and go to run. Type regedit.
Browse to HKEY_LOCAL_MACHINE\SOFTWARE\Adiscon\EventReporter\RuleSets
Export the above mentioned key and save it somewhere.
Open the file created in the above step with notepad.
Replace all occurances of EventReporter with MonitorWare\Agent. (Simply find and replace all from the Edit menu of notepad)
Save the file and close it.
Double click on this registry file.
It will migrate all the rules from EventReporter to MonitorWare Agent and will also over-ride the previous rules defined for MonitorWare Agent.