Monitoring the Windows Server Event Log

Learn how to monitor the Windows Server Event Log and share only filtered events to end users. Use this feature to get Alerts when Windows Services run into problems.

This page describes what's being monitored for the Event Log Category in Nodinite, using one or more role-based Monitor Views. Nodinite monitors the state based on user-defined global or specific thresholds. For managing the Event Log, remote commands are available as Actions. These help you swiftly manage reported problems. The implemented Remote Actions are further detailed on this page.

Example with a list of monitored 'Event Log configurations' as resources in a Monitor View

Filter options

The following filter options are available from the Event Log Configuration:

• ✅ Log Source (Application/System/Security/...)
• ✅ Log level (Information, Warning, Error, Critical)
• ✅ Provider
• ✅ Event Id (selected numbers)
• ✅ Content (when matched)

Monitoring Features

• You must manually manage your Event Log configurations to monitor. Sharing insights is very easy from within Nodinite using Monitor Views.
• State Evaluation - Based on user-defined settings
• Category-based monitoring - To help you sort out the different types of resources, the monitored Resources are grouped by Categories

State evaluation for the Event Log

The monitored Event Log configurations display within Nodinite as Resources. For example, if you have 2 Windows Server configurations with 2 and 3 Event Log configurations, you will have 5 'Event Log' resources in Nodinite.

• The name of the Resources are the same as the name for the Event Log-configuration

• The 'Event Log' resource belongs to the following Category:

  Category	Description
  Event Log	Make sure the Event Logs does not contain any events matching the user-defined settings

  
  Here's an example of the Event Log category as a filter in a Nodinite Monitor View.

• The Application name is the Display Name of the target Windows Server set in the Configuration:
  
  Here's an example of the Application naming scheme.

Each item (presented in Nodinite as a Resource) evaluates with a state. (OK, Warning, Error, Unavailable).

From within Nodinite, you can reconfigure the state evaluation on Resource level using the Expected State feature.

Note

Depending on the user-defined synchronization interval set for the Windows Server Monitoring Agent, a delay might occur before Nodinite Web Client/Monitor Views reflects upon the change. Click the Sync All button (or on the dropdown for individual agent selection) to force Nodinite to request a resynchronization request.

Option to force Nodinite to request a resynchronization request with the monitoring agent

---

Monitoring Event Log

For the Event Log category, the monitored state evaluates as described in the table below:

	State	Status	Description	Actions
	Unavailable	Service not available	If the server can't be reached and evaluated either due to Network or security-related problems A lousy configuration (invalid/non-existing Source/Provider/...)	Review prerequisites
	Error	Error state raised	The 'Event Log' contains one or more matching events	Clear List Events
	Warning	Warning state raised	Not Implemented	-
	OK	Online	The 'Event Log' contains exactly 0 matching events	Clear List Events

Actions for Event Log

The following Remote Actions are available for the Event Log Category:

• Clear
• List Events

Clear

You can have old events removed by applying a filter on old events. The time for this filter is the point in time when you either click on the Clear action by manually edit the value in the global configuration. For selected Event Log resource, simply click on the Action button and then click on the Clear menu item within the 'Control Center' section.

Here's an example to ignore previous Log Events using the 'Clear' action.

You will then be prompted to confirm the intent to proceed with the operation:

Here's an example of the 'Clear' prompt.

Next, a modal presents with the result of the operation:

Here's an example of successful clear operation.

List Events

You can view details for the selected Event Log resource, click the Action button and then the List Events menu item within the 'Control Center' section.

Open filtered Log Events modal, using the 'List Events' action.

Next, the modal from the operation presents a list of filtered Log Events according to the settings.

Here's an example of the 'List Events' modal.

You can expand any single entry by clicking on the small arrow button:

The recorded Log Event entry can also be viewed as XML, click on the View as XML tab:

Logged event as XML

At the bottom of the page, the Settings for this Event Log configuration can be reviewed (read-only):
Here's an example of settings for this Event Log Configuration.

---

Event Log Configuration

To enable the Monitoringm and for end-users to gain access to the Event Log on the Target Windows Server, you must create one or more configuration entries. Use the Remote Configuration to manage the Event Log configuration entries.

Event Log Tab

Click the Event Log tab to manage Event Log related Monitoring options.

Here's an example of the 'Event Log' configuration tab.

Add an Event Log Entry to monitor by clicking on the Add Button:

Expand the Accordion to enter options:

• Enable Event Log Monitoring for this configuration - When checked, Monitoring is enabled. Otherwise, it is disabled.

Event Log Basic Tab

Click the Basic tab to manage Event Log related Monitoring options.

• Event Log Configuration Name - The 'Resource' name as presented in the Monitor Views for end-users.
• Description - User-friendly short description for this configuration.
• Log Name - The name of the 'Windows Event Log' (Application, System, Security, ...) from where to look for events according to user-defined options.

Event Log Source Tab

Click the Source tab to manage what to include from the Event Log.

Here's an example of the 'Event Log Source' tab.

• Information - When checked, include Informational events
• Warning - When checked, include Warning events
• Error - When checked, include Error events
• Critical - When checked, include Critical events

Include the following Providers

You can filter on named providers. There can be any number of providers added to the list.

Option to include Log Events from the specific provider.

Providers not listed are excluded from Monitoring.

Include the following Event IDs

You can filter on specific Event IDs. There can be any number of EventIds added to the list.

An example of the option to include a specified Log Event Id.

Note

The Event Ids not part of the list are NOT monitored.

Include matches from the 'EventData' data structure

You can filter on specific content using an exact string match, or a regular expression (RegEx). There can be any number of such filters.

click the Add button to add an empty configuration.

Click the chevron icon to expand the accordion:

• Filter by Name attribute
  • Optional: Filters by the 'Name' attribute on the 'Example Value' element.
  • NOTE: This is case sensitive.
• Operator - The operator used to compare
  • Equals: Exact match. Uses XPath which means better performance and less overhead.
  • RegEx: More advanced options but less performant.
• Value to match - Filters by the value of the '<Data Name="ExampleName">Example Value</Data>' elements.

Event Log Options Tab

Click the Options tab to manage additional options for Monitoring the Event Log.

Event Log options

• Set 'Log text' from last Event Log entry - When checked, the 'Log Text' for the monitored resource comes from the OLDEST event record in filtered list.

Event Log Advanced Tab

Click the Advanced tab to manage additional options for Monitoring the Event Log.

''Advanced'' Event Log options tab.

• Max lookback time^{New 6.1.0.0} - This input determines the maximum amount of time in days to look back in the event log.
• Clear Settings - List of Windows Servers with a Clear Date and Time Set. NOTE: The match is based on the address. If you change the address, the clear settings will be removed since there will be no longer a match, unless you update both the server and clear settings simultaneously.

  Whenever a User, or the system executes any of the Clean IIS Log Files.

---

Next Step

Add or manage Monitor View

Related Topics

Windows Server Monitoring Agent
Resources
Monitoring
Monitor Views