Monitoring the Windows Server Event Log
Proactively monitor Windows Event Logs on your servers with the Nodinite Windows Server Monitoring Agent. Configure custom filters, receive actionable alerts, and leverage real-time metrics to ensure system health and compliance.
✅ Real-time monitoring of all Windows Event Logs
✅ Customizable filters for log source, level, provider, event ID, and content
✅ Actionable alerts and Remote Actions within role-based Monitor Viewsto resolve issues fast
✅ Visualize event log data with charts and dashboard widgets
Example list of monitored 'Event Log configurations' as resources in a Monitor View.
Filter Options
The following filter options are available from the Event Log Configuration:
- Log Source (Application/System/Security/...)
- Log level (Information, Warning, Error, Critical)
- Provider
- Event Id (selected numbers)
- Content (when matched)
Monitoring Features
- You must manually manage your Event Log configurations to monitor. Sharing insights is easy within Nodinite using Monitor Views.
- State Evaluation - Based on user-defined settings
- Category-based Monitoring - Organize different types of resources; monitored Resources are grouped by Categories.
State Evaluation for the Event Log
Monitored Event Log configurations are displayed within Nodinite as Resources. For example, if you have 2 Windows Server configurations with 2 and 3 Event Log configurations, you will have 5 'Event Log' resources in Nodinite.
- The name of the Resources matches the name of the Event Log configuration.
- The 'Event Log' resource belongs to the following Category:
| Category | Description |
|---|---|
| Event Log | Ensure the Event Logs do not contain any events matching the user-defined settings |
Example of the Event Log category as a filter in a Monitor View.
- The Application name is the Display Name of the target Windows Server set in the configuration:
Example of the Application naming scheme.
Each item (presented in Nodinite as a Resource) is evaluated with a state (OK, Warning, Error, Unavailable).
From within Nodinite, you can reconfigure the state evaluation on Resource level using the Expected State feature.
Note
Depending on the user-defined synchronization interval set for the Windows Server Monitoring Agent, there might be a delay before Nodinite Web Client/Monitor Views reflects the change. Click the Sync All button (or use the dropdown for individual agent selection) to force Nodinite to request a resynchronization.
Option to force Nodinite to request a resynchronization with the monitoring agent.
Monitoring Event Log
For the Event Log category, the monitored state evaluates as described in the table below:
| State | Status | Description | Actions | |
|---|---|---|---|---|
| Unavailable | Service not available | Service not available | If the server can't be reached and evaluated due to network or security-related problems, or if the configuration is invalid/non-existing | Review prerequisites |
| Error | Error state raised | Error state raised | The 'Event Log' contains one or more matching events | Clear, List Events |
| Warning | Warning state raised | Warning state raised | Not Implemented | - |
| OK | Online | Online | The 'Event Log' contains exactly 0 matching events | Clear, List Events |
Actions for Event Log
The following Remote Actions are available for the Event Log Category:
Clear
You can remove old events by applying a filter on old events. The time for this filter is the point in time when you either click on the Clear action or manually edit the value in the global configuration. For a selected Event Log resource, click the Action button and then the Clear menu item within the 'Control Center' section.
Example to ignore previous Log Events using the 'Clear' action.
You will be prompted to confirm the operation:
Example of the 'Clear' prompt.
A modal then presents the result of the operation:
Example of a successful clear operation.
List Events
To view details for the selected Event Log resource, click the Action button and then the List Events menu item within the 'Control Center' section.
Open filtered Log Events modal, using the 'List Events' action.
A modal presents a list of filtered Log Events according to the settings.
Example of the 'List Events' modal.
You can expand any entry by clicking the small arrow button:
The recorded Log Event entry can also be viewed as XML by clicking the View as XML tab:
Logged event as XML.
At the bottom of the page, the Settings for this Event Log configuration can be reviewed (read-only):
Example of settings for this Event Log Configuration.
Event Log Configuration
To enable monitoring and provide end-users access to the Event Log on the target Windows Server, create one or more configuration entries. Use the Remote Configuration to manage the Event Log configuration entries.
Event Log Tab
Click the Event Log tab to manage Event Log-related monitoring options.
Example of the 'Event Log' configuration tab.
Add an Event Log Entry to monitor by clicking the Add button:
Expand the accordion to enter options:
- Enable Event Log Monitoring for this configuration - When checked, monitoring is enabled. Otherwise, it is disabled.
Event Log Basic Tab
Click the Basic tab to manage Event Log-related monitoring options.
- Event Log Configuration Name - The 'Resource' name as presented in the Monitor Views for end-users.
- Description - User-friendly short description for this configuration.
- Log Name - The name of the 'Windows Event Log' (Application, System, Security, ...) from where to look for events according to user-defined options.
Event Log Source Tab
Click the Source tab to manage what to include from the Event Log.
Example of the 'Event Log Source' tab.
- Information - When checked, include Informational events
- Warning - When checked, include Warning events
- Error - When checked, include Error events
- Critical - When checked, include Critical events
Include the following Providers
You can filter on named providers. There can be any number of providers added to the list.
Option to include Log Events from the specific provider.
Providers not listed are excluded from monitoring.
Include the following Event IDs
You can filter on specific Event IDs. There can be any number of Event IDs added to the list.
Example of the option to include a specified Log Event Id.
Note
Event IDs not part of the list are NOT monitored.
Include matches from the 'EventData' data structure
You can filter on specific content using an exact string match or a regular expression (RegEx). There can be any number of such filters.
Click the Add button to add an empty configuration.
Click the chevron icon to expand the accordion:
- Filter by Name attribute
- Optional: Filters by the 'Name' attribute on the 'Example Value' element.
- NOTE: This is case sensitive.
- Operator - The operator used to compare
- Equals: Exact match. Uses XPath for better performance and less overhead.
- RegEx: More advanced options but less performant.
- Value to match - Filters by the value of the 'Example Value' elements.
Event Log Options Tab
Click the Options tab to manage additional options for monitoring the Event Log.
Event Log options.
- Set 'Log text' from last Event Log entry - When checked, the 'Log Text' for the monitored resource comes from the oldest event record in the filtered list.
Event Log Advanced Tab
Click the Advanced tab to manage additional options for monitoring the Event Log.
'Advanced' Event Log options tab.
- Max lookback time - This input determines the maximum amount of time in days to look back in the event log.
- Clear Settings - List of Windows Servers with a Clear Date and Time set. NOTE: The match is based on the address. If you change the address, the clear settings will be removed unless you update both the server and clear settings simultaneously.
Whenever a User, or the system, executes any of the Clean IIS Log Files.
Next Step
Related Topics
Windows Server Monitoring Agent
Resources
Monitoring
Monitor Views