Monitoring a Windows Event Log

You can define a data source to collect data from a Windows event log. You can configure it to filter the data. The resulting events are placed in the Event Log data set.

About this task

You can collect data from the Windows event log by using the type, source, or ID of events. You use these parameters to filter the log events that the Windows system gathered. The agent compares each new event in the monitored event log against the specified filter. If the event matches one of the event types, event sources, and event IDs specified in the filter, it passes.

For example, if the Event log filter is for the Application log, specify Error as the event type. This choice matches all events that are logged to the Application log with an event type value of error. If you add the Diskeeper and Symantec AntiVirus event sources, the agent matches all error events from either of these sources. You can add specific event IDs to refine the filter further. No direct association exists between the event type, event source, and event ID. If one of the values for each matches an event, the event matches.

By default, only events that are generated after the agent starts are processed. However, you can enable the agent when it restarts to process log events that are generated while the agent is shut down. For more information about enabling the agent to process events generated while the agent is shut down, see step 6.

Procedure

  1. On the Agent Initial Data Source page or the Data Source Location page, click Logged Data in the Monitoring Data Categories area.
  2. In the Data Sources area, click Windows Event Log.
  3. Click Next.
  4. On the Windows Event Log page, select the name from one of the logs in the Windows Event Log name list, or type a name for the event log.
    The list is constructed from the set of logs on the current system, for example:
    • Application
    • Security
    • System
  5. In the Windows Event Log page, specify whether you want to filter the results by using one or more of the following mechanisms:
    Note: You must select at least one of these filter criteria.
  6. To process log events that are generated while the agent is shut down, on an agent restart, click Offline Event Settings on the Windows Event Log page.
    The Windows Event Log Bookmark Settings window opens.
  7. Select one of the following bookmarking options:
    Note: These options apply to all Windows event logs being monitored.
    • Do not collect any offline events: Events that are generated while the agent is shut down are not processed. This option is the default option.
    • Collect all offline objects: All events that are generated while the agent is shut down are processed.
    • Specify custom collection settings: You can enter a value to throttle the processing of old events that are based on a time value, or number of events, or both. By using this option, you ensure that the monitoring environment is not overloaded with events when the agent starts.

      For example, if 100 is entered in The maximum number of events to collect field and 30 is entered in the Restrict collection based on a time interval (in seconds) field. The number of events that are processed is either the last 100 events that are generated before the agent starts, or any event that is generated within 30 seconds of agent start. Which result depends on the variable that is matched first.

      When you enter a value for the maximum number of events to collect, the CDP_DP_EVENT_LOG_MAX_ BACKLOG_EVENTS environment variable is added. When you enter a value to restrict collection that is based on a time interval, the CDP_DP_EVENT_LOG_MAX_BACKLOG_TIME environment variable is added. When either or both of these variables are added, the eventlogname_productcode_instancename_subnodename.rst file is created containing the last event record that is processed for the event log. This file is in the %CANDLE_HOME%\tmaitm6\logs directory and is used when the agent is restarted to process old events that are generated while the agent was shut down.

  8. If you want to set global options for the data source, click Global Options on the Windows Event Log page
    The Global Windows Data Source Options window opens.
  9. Select the Include remote Windows configuration properties check box if you want to include this option, and click OK.

    For information about Windows remote connection configuration for Windows data sources, see Configuring a Windows remote connection.

  10. After you specify the filter and click OK, on the Windows Event Log page, do one of the following steps:
    • If you are using the Agent wizard, click Next.
    • Click Finish to save the data source and open the Agent Editor. The name of the new Windows Event Log is shown on the Agent Editor Data Source Definition page.

What to do next

For information about Windows remote connection configuration for Windows Event Log data sources, see Configuring a Windows remote connection.