Log Consolidator and Alerter
Adiscon is proud to announce the 6.1 release of MonitorWare Agent. This is a minor release including new features and minor bugfixes. The most important changes are: Continue reading “2009-04-06 MonitorWare Agent 6.1 Final Released”
Build-IDs: Service 6.0.364, Client 6.0.1236
Continue reading “2008-12-23 MonitorWare Agent 6.0b Final (Build Service 6.0.364/Client 6.0.1236)”
Adiscon is proud to announce the 6.0a release of MonitorWare Agent.
This is a maintenance release only needed on Windows 2008 or VISTA. If you are using the EventLog Monitor V2, we recommend to update to Version 6.0a. Continue reading “2008-12-08 MonitorWare Agent 6.0a Final Released”
Build-IDs: Service 6.0.363, Client 6.0.1236
Continue reading “2008-12-08 MonitorWare Agent 6.0a Final (Build Service 6.0.363/Client 6.0.1236)”
Article created 2008-11-27 by Andre Lorbach.
This article was written by using the MonitorWare Agent, but it can also be applied to EventReporter and WinSyslog.
By default the log files generated by MonitorWare Agent using the WriteFile Action are written on a daily basis, so you have one log file for each day. Over time this can become a huge number uncompressed log files, so you properly want to archive them automatically to save disk space. There is no inbuilt method in MonitorWare Agent yet to do so, but this article will describe how you can archive this goal by using the Windows Task Scheduler and WinRar.
1. Installing and Configuring MonitorWare Agent
1.1 Download and Install MonitorWare Agent
1.2 Setup up basic MonitorWare Agent configuration
1.3 Configure the Write File Action.
1.4 Start MonitorWare Agent
2. Configure log file archiving
2.1 Download and Install WinRar
2.2 Create VBScript which utilizes WinRar to create archives.
2.3 Create Task in Windows Task Scheduler
Final Thoughts
| So if you haven’t done so already, go to www.mwagent.com and download the latest MonitorWare Agent version. It is always recommended to use the latest Version of MonitorWare Agent. Once the download is done, go ahead and install it. You may have to restart after installation, this depends on your system. |
 Start the MonitorWare Agent client and skip the wizard on startup. In this article, we will use an EventLog Monitor as source for our File logging, but you can use any other kind of source. Create a new “EventLog Monitor” service and just name it “EventLog Monitor”. You can leave all configuration settings as they are in the screenshot on the right. |
 In order to create log files we need a Write File Action. Create a new Write File Action like in the screenshot on the right. The default settings will create daily log files automatically. You may customize the log format by using the custom “File format” option. It is important to have the “Create unique filenames” Option enabled, this will enable the daily written log files. The log file name for 2008-11-28 would be MonitorWare-2008-11-28.log, and for the next day MonitorWare-2008-11-29.log and so on. |
 After you configured MonitorWare Agent, you can start the Service and verify that the daily log files are successfully written. |
 Visit the RarSoft website to download the latest Version of WinRar, if you haven’t installed it already. There are plenty of other packer applications out there and this article may also be used with them. However I will focus on using WinRar. Once you downloaded WinRar, start it’s installation, and remember the exact path it was installed to. Usually this is “C:\Program Files\WinRAR” or “C:\Program Files (x86)\WinRAR”. |
| This script will actually do the work for you. It is designed to automatically generate the filename of the log file from yesterday, and create an archive with the same name. If the archive is successfully created, the log file will automatically be deleted. The script is also in the script package which you can download at the top. You can also copy the script content from the textbox below, and create a new file archive_logs.vbs yourself. By default the script will create zip files, if you rather want to create rar files, just remove the -afzip parameter from the variable szCommand at the end of the script.
The next thing to do is to edit this script to your needs. There are 4 parameters at the top which you may need to customize, so the script fits into your environment. szWinRardirectory – contains the full installation of your WinRar installation Once you have done this, you should run the script at least once manually by double clicking it to see if it works. You may only notice a short popup of the WinRar Windows, depending if a log file to archive can be found, and archiving takes some time. If it works, you should see a zip-packed log file in your logs directory, like in this screenshot. |
 Open the Control Panel, and go to the scheduled tasks. From there you can create a new scheduled task using a wizard. Once the wizard is opened, click on browse to manually select the “archive_logs.vbs” script. Then proceed to the next step of the wizard. |
 Choose “Daily”, and set the start time in the next wizard step. I have chosen 02:00 am in this article, but you can also chose 04:00am or 01:00am. It should not be 00:00am, because the script might archive the log file too early. In the next step you have to configure the Username and Password, the task is going to run under. Once you finished creating the scheduled task, right click it in the task list and select “Run” in order to test that the task is working. |
I hope this article will help you solving your tasks and shows you the potential of MonitorWare Agent, and what you can archive with it. Feel free to email me for recommendations or questions.
Continue reading “Automatically archiving logfiles written by MonitorWare Agent.”
Adiscon is proud to announce the 6.0 release of MonitorWare Agent. This is a major release including new features and minor bugfixes. The most important changes are: Continue reading “2008-11-24 MonitorWare Agent 6.0 Final Released”
Build-IDs: Service 6.0.362, Client 6.0.1230
New Additions |
|
Adiscon is proud to announce the 6.0b release of MonitorWare Agent.
This is a maintenance release which you only needed on Windows 2008 or VISTA. And Support for Windows 2000 is back as well. The Event priority and facility handling in the EventLog Monitor V2 has been fixed, and does now work correctly. Continue reading “2008-12-23 MonitorWare Agent 6.0b Final Released”
As our customers expect, all Adiscon Windows based products run under Windows 2008. Among others, this includes EventReporter, WinSyslog and MonitorWare Agent. Continue reading “2008-10-23 Adiscon Products run under Windows Server 2008”
Created 2008-10-16 by Florian Riedl
Please Note: This article is valid for EventReporter 9.x / MWAgent 5.x and lower and describes, how to set the filters to get only logon, failed logon and lockout events.
The scenario is, that we need to monitor the behavior of users logging into machines, as well as failing or being locked out, due to bad inserted passwords. All those events should be written into a text file with a unique message that indicates to us what has happened. We need only one ruleset and one service for this. The service would be the EventLog Monitor. In the ruleset, we need 3 separate rules with each having one Action, the Write to File Action. The basic setup should look like this:
Image 1: Basic Setup
Now we will get to the core part of this setup. The filters. This will be a little bit complex, as there are a lot of possibilities when it comes to monitoring logon events. We need to monitor the events with the following IDs:
We need to split up these events for the different rules we created before. To summarize it, we need the following packages:
There are a lot of Events available for logon failure. So we have to consider all the events that would fit. If some events do not fit for your account policy auditing, then simply leave them out. With this information in mind, we set up the filters. The first two filter will be for “Successful Logon” and “Account Lockout”. We use the “AND”-Operator and filter for the Event ID. This looks as follows:
Image 2 and 3: Filter for “Successful Logon” and “Account Lockout”
The last filter for “Logon Failure” looks a bit different, as we have multiple conditions that we need to check. Therefore we need a different Operator. We will take the “OR”-Operator as this is the most suitable. It will evaluate to true once one of the multiple conditions is true. So the same Action (writing a message to a textfile that tells us, that a login has failed) can be performed for multiple events. In contrary, the “AND”-Operator needs all conditions to be true to process the Event, else the Action will not be carried out. The filter should look like this:
Image 4: Filter for “Logon Failure”
The last thing we have to do is to set the messages that should be written into the textfile. Therefore go to each “Write to File”-Action and set the “File Format” to “Custom”. Then you can edit the message to whatever you like. I chose these messages for my example:
These messages give you directly a comment about the event that happened and show you the original message, which holds the information about the user, machine and message details. The configuration for one of those Actions could look like this:
Image 5: Settings for “Write to File”-Action
Please Note: Every “Write to File”-Action needs to write its messages into the same file. Else, you will have separate files for all three kinds of messages. If writing to the same file, a message will be written one after another, so there will not be any overlapping with the messages.
You could also make this message a bit more detailed by including the timestamp and the name of the machine on which the Event happened. Then it could look like this:
This would result in the following message:
2008-10-14 09:24:33, Username, Domain, Workstation, Logon Failure
The message now contains the complete timestamp with date and time, the name of the Domain for which the Event applies, the Workstation name from which the message originates and “Logon Failure” as comment to what happened. We have to do this in a fixed way, as we do not have this information automatically parsed from the Event message. If you want to have the detailed description for the Event you can either add the complete message with %msg% or parse out the information before writing it and put it into a custom property with the “Post-Processing”-Action (only available in MonitorWare Agent Professional and Enterprise).
This is all that needs to be done for having all events for Successful Logon, Logon Failure and Account Lockout written into a textfile. If you have any remarks, suggestions or questions to this article, please send a email to our Support Team.
