Windows 2008 event log monitoring with Log File Agent
GregorK 2700013SN6 Visits (11018)
This blog describes how the Tivoli Log File Agent monitors events from the Windows event log. The Tivoli Log File Agent continues to use the WINEVENTLOGS configuration (.conf) file option to monitor events from the Windows event log. The agent monitors a comma-separated list of event logs as shown in the following example:
# Monitor the named event logs on Microsoft Windows. The latter two require Windows 2008 or higher,
There is a configuration file tag called UseNewEventLogAPI. This tag allows the event log (Windows event log 2008 or later) to access any of the new logs added by Microsoft, and any Windows event logs created by other applications or created by the user. The new logs are listed by the WINEVENTLOGS keyword.
# If running on Microsoft Windows 2008 or higher, use the new event log interface. This is required to
Since it is difficult to anticipate exactly what these events look like, a useful approach to writing your regular expressions is to capture the actual events in a file. Then you can examine the file, choose the events you would like the agent to capture, and write regular expressions to match these events. To capture all the events from your Windows event log, use the following steps:
4. Event Viewer events captured in evlog.unmatch log.
In my scenario I am interested in below line:
Jun 10 11:04:03 2016 1 Error N/A Application_Error Classic 1000 Faulting application k3zcma.exe, version 0.0.0.0, time stamp 0x539ad974, faulting module ntdll.dll, version 6.0.6001.18000, time stamp 0x4791adec, exception code 0xc0000008, fault offset 0x00000000000b1188, process id 0x1a04, application start time 0x01d1c16139c90c8c.
When Regular Expression matches your test you need to create format with mappings.
6. Created below Format with mappings in my .fmt file
7. I recreated Windows Event and checked if event is seen in TEP workspace. Note: LFA agent v6.3 does not need to be restarted if conf or fmt files are updated. Result:
When you creating LFA instance for the first time please also review Be
In LFA agent installation image also contain example conf and fmt files which are located under <Ima
Having problems with installation and configuration LFA agent? Look no further, review How
Subscribe and follow us for all the latest information directly on your social feeds: