Windows 2008 event log monitoring with Log File Agent

Body

This blog describes how the Tivoli Log File Agent monitors events from the Windows event log. The Tivoli Log File Agent continues to use the WINEVENTLOGS configuration (.conf) file option to monitor events from the Windows event log. The agent monitors a comma-separated list of event logs as shown in the following example:

# Monitor the named event logs on Microsoft Windows.  The latter two require Windows 2008 or higher,
# and the fourth one requires the Hyper-V role.
WINEVENTLOGS=System,Security,Application,Microsoft-Windows-Hyper-V-Worker-Admin,Microsoft-Windows-TaskScheduler-Operational

There is a configuration file tag called UseNewEventLogAPI. This tag allows the event log (Windows event log 2008 or later) to access any of the new logs added by Microsoft, and any Windows event logs created by other applications or created by the user. The new logs are listed by the WINEVENTLOGS keyword.

# If running on Microsoft Windows 2008 or higher, use the new event log interface.  This is required to
# access the new event logs introduced in that version, such as the last two logs listed in the
# WINEVENTLOGS statement just above.
UseNewEventLogAPI=y

Since it is difficult to anticipate exactly what these events look like, a useful approach to writing your regular expressions is to capture the actual events in a file. Then you can examine the file, choose the events you would like the agent to capture, and write regular expressions to match these events. To capture all the events from your Windows event log, use the following steps:
1. Create a format file that contains only one pattern that does not match anything, as shown in the
following example:

REGEX NoMatch
This doesn’t match anything
END

2. Add the following setting to the configuration (.conf) file:
UnmatchLog=C:/evlog.unmatch

WINEVENTLOGS=Application

UseNewEventLogAPI=y

3. Run the agent and capture some sample events.

4. Event Viewer events captured in evlog.unmatch log.

5. Write Regular Expression which will match message in evlog.unmatch file. You can use one of online tools to test if Regular Expression matches your text like myregextester or regexr tool.

In my scenario I am interested in below line:

Jun 10 11:04:03 2016 1 Error N/A Application_Error Classic 1000 Faulting application k3zcma.exe, version 0.0.0.0, time stamp 0x539ad974, faulting module ntdll.dll, version 6.0.6001.18000, time stamp 0x4791adec, exception code 0xc0000008, fault offset 0x00000000000b1188, process id 0x1a04, application start time 0x01d1c16139c90c8c.

When Regular Expression matches your test you need to create format with mappings.

6. Created below Format with mappings in my .fmt file

REGEX ApplicationError
^([A-Z][a-z]{2} [0-9]{1,2} [0-9]{1,2}:[0-9]{2}:[0-9]{2} [0-9]{4}) [0-9] (\S+) (\S+) (\S+) (\S+) (1000) (.*)
timestamp $1
severity $2 CustomSlot1
eventclass $3 CustomSlot2
eventsource $4 CustomSlot3
keywords $5 CustomSlot4
eventid $6 CustomSlot5
msg $7
END

7. I recreated Windows Event and checked if event is seen in TEP workspace. Note: LFA agent v6.3 does not need to be restarted if conf or fmt files are updated. Result:

When you creating LFA instance for the first time please also review Best practice for creating LFA agent format file and Best practice for creating LFA agent configuration file blog entries.

In LFA agent installation image also contain example conf and fmt files which are located under <Image_Dir>\examples\ folder.

Having problems with installation and configuration LFA agent? Look no further, review How to install IBM Tivoli Log File Agent V6.3 and do basic configuration to recieve data in TEP?

Subscribe and follow us for all the latest information directly on your social feeds: