VMware Cloud Community
ericcase
Contributor
Contributor

Monitor Window Event Logs

I know the expertise version can monitor the Windows Event Logs. I enabled the Log Tracking under platform->Inventory tab ->Configuration Properties then configured an Alert. I thought the alert was for any event. I see more events then alerts. Q: Where can I get some docs on how to set it up? The Hyperic HQ 2.7 Documentation -> Log Tracking is just a Placeholder. 😞
-Eric
Reply
0 Kudos
11 Replies
cwitt_hyperic
Hot Shot
Hot Shot

A couple of questions to clarify your issue:

1. When you say you are not seeing alerts for all the events you are seeing, are you seeing these events within HQ, or just in your Event Viewer?

2. In the configuration properties, what have you set platform.log_track.level to? And in the defined alert, what have you set the Events/Logs Level to?

Thanks.
Reply
0 Kudos
ericcase
Contributor
Contributor

At 12:53 PM 11/27/2006 -0800, Chip Witt wrote:
>1. When you say you are not seeing alerts for all the events you
>are seeing, are you seeing these events within HQ, or just in your
>Event Viewer?

In HQ I only see a few events. In the Event Viewer I see a
bunch of event that I don't see in HQ. If I use the resource kit
tool logevent.exe to insert event into the Application log I don't
see them in HQ.


>2. In the configuration properties, what have you set
>platform.log_track.level to?

It's set to Error. As I understand it this will give me event
that are Error, Warning, Info and Debug. Right?


> And in the defined alert, what have you set the Events/Logs Level to?

It's set to Error.
-Eric



Eric Case, CISSP <ecase@Email.Arizona.EDU>
Support Systems Analyst, Principal
Department of Chemical & Environmental
Engineering <http://www.CHEE.Arizona.EDU>
1133 E James E. Rogers Way (Room 108)
Tucson, AZ 85721-0011
Mobile Phone 520-275-6436


Reply
0 Kudos
cwitt_hyperic
Hot Shot
Hot Shot

OK. Out-of-the-box, event log tracking only monitors system events at the platform level, assuming one would monitor specific applications at the server or service level. This behavior can be modified with a custom plug-in, and there are people that will gladly help you find an adequate solution if you can provide details about what applications you are trying to monitor on the platform.

On the platform.log_track.level setting, your configuration is exactly opposite of expected behavior. Whatever the setting, you get that level and everything above (as listed in HQ). I am used to seeing log levels listed with Debug at the top, so immediately realized how this could confuse. Setting it for Info gets you Info, Warn, and Error. Setting for Error just gets you the Error messages. Debug will get you everything.
Reply
0 Kudos
ericcase
Contributor
Contributor

> OK. Out-of-the-box, event log tracking only monitors
> system events at the platform level,

Hmm. I guess I can use the "Windows Service" Service Type to monitor some things like the File Replication Service, but how do I monitor for security events? I'd like to set an alert for failed security audits and other events that are out of the norm.


> On the platform.log_track.level setting, your
> configuration is exactly opposite of expected
> behavior.

Ok, changing the setting to debug produces more alerts and they mostly match up with what I see in the system event log. I'm getting an alert that I can't find in the Event Viewer, "system: login: INET3$ network share (192.168.1.3)"
-Eric
Reply
0 Kudos
cwitt_hyperic
Hot Shot
Hot Shot

If you can provide the event Source, Category, Type, and Event_ID information for things you would want pulled into HQ from the Security Events Log, we can look into what is required to modify the existing plugin to suit your needs. I have it on good authority that this should not be too troublesome with the proper data in-hand.

Our plugin already pulls in some login information, which is what the event you see that is otherwise unaccounted for demonstrates. The "system: login: INET3$ network share (192.168.1.3)" is indicating a machine mount login to a network share on the monitored platform. If I am not mistaken, I believe that this one correlates to an "Event_ID: 540" event in the Security Events Log.
Reply
0 Kudos
dougm_hyperic
VMware Employee
VMware Employee

Hi Eric,

I just checked in a plugin that can track the Security Event Log
along with collecting a few security related metrics from the Windows
performance counters:

http://svn.hyperic.org/branches/HQ_2_7/plugins/examples/windows-
security-plugin.xml?root=Hyperic+HQ&view=log

Deploy following these steps:
http://support.hyperic.com/confluence/display/DOCSHQ27/Plugin
+Development+Center#PluginDevelopmentCenter-deployment

Let us know if this provides the info you need. We could also
consider building this into the existing system plugin.

On Nov 28, 2006, at 1:25 AM, Eric Case wrote:

>> OK. Out-of-the-box, event log tracking only monitors
>> system events at the platform level,
>
> Hmm. I guess I can use the "Windows Service" Service Type to
> monitor some things like the File Replication Service, but how do I
> monitor for security events? I'd like to set an alert for failed
> security audits and other events that are out of the norm.
>
>
>> On the platform.log_track.level setting, your
>> configuration is exactly opposite of expected
>> behavior.
>
> Ok, changing the setting to debug produces more alerts and
> they mostly match up with what I see in the system event log. I'm
> getting an alert that I can't find in the Event Viewer, "system:
> login: INET3$ network share (192.168.1.3)"
> -Eric


Reply
0 Kudos
ericcase
Contributor
Contributor

At 01:41 PM 11/30/2006 -0800, Doug MacEachern wrote:
>I just checked in a plugin that can track the Security Event Log
>along with collecting a few security related metrics from the Windows
>performance counters:

Thanks Doug,

I added the plugin, added the service but I'm not sure where to
go from here. I guess I need to add the alerts to the service? Will
the security event logs show up in the platform logs?

I assume that I can just open the xml file and edit it to make
plugins for the other event logs. What's the pros and cons to making
a single plugin to monitor multiple event logs like, Application,
Directory Service, DNS Server, File Replication Service and Security?
-Eric



Eric Case, CISSP <ecase@Email.Arizona.EDU>
Support Systems Analyst, Principal
Department of Chemical & Environmental
Engineering <http://www.CHEE.Arizona.EDU>
1133 E James E. Rogers Way (Room 108)
Tucson, AZ 85721-0011
Mobile Phone 520-275-6436


Reply
0 Kudos
dougm_hyperic
VMware Employee
VMware Employee

On Dec 5, 2006, at 8:04 AM, Eric Case wrote:

> At 01:41 PM 11/30/2006 -0800, Doug MacEachern wrote:
>> I just checked in a plugin that can track the Security Event Log
>> along with collecting a few security related metrics from the Windows
>> performance counters:
>
> Thanks Doug,
>
> I added the plugin, added the service but I'm not sure where
> to go from here. I guess I need to add the alerts to the service?
> Will the security event logs show up in the platform logs?

Hi Eric,

That's right, after creating the service, create your alerts for that
service just as you had done for the platform. However, the security
events will show up at the service level.

> I assume that I can just open the xml file and edit it to make
> plugins for the other event logs. What's the pros and cons to
> making a single plugin to monitor multiple event logs like,
> Application, Directory Service, DNS Server, File Replication
> Service and Security?
>

We chose to attach event logs to specific resource types, for example:

System -> Windows Platform defined in the system plugin
Directory Service -> Active Directory server type defined in the ntds
plugin
Application -> Various plugins, depending on the event source: iis,
mssql, exchange, ntds

The idea was correlate log events with monitoring provided by each
resource type.
It sounds like you'd prefer to have events from all logs tied to a
single resource, I can see advantages to that.
How about if we change the system plugin to included a check box [x]
Monitor all event logs
Where, the default would still be the System log, but if the box is
checked, the plugin would monitor all?

Reply
0 Kudos
ericcase
Contributor
Contributor

At 07:07 PM 12/14/2006 -0800, Doug MacEachern wrote:
>It sounds like you'd prefer to have events from all logs tied to a
>single resource, I can see advantages to that.
>How about if we change the system plugin to included a check box [x]
>Monitor all event logs
>Where, the default would still be the System log, but if the box is
>checked, the plugin would monitor all?

That would be good. I think the ideal event log monitor would
send events that have not been excluded (if it doesn't correlate the
events). An event like booting up will produce a bunch of event
logs; if we could correlate that "bunch" into a single event that
would be assume. Given that is not easy to do, I think the next best
thing is to list the event logs to exclude. Maybe I don't care to
get a alert every time the system logs the up time, every successful
log in, any information only events, and "other background noise" but
anything I didn't tell it to exclude I want to know about. If I knew
exactly what events to monitor for today, I won't know what new ones
will be added tomorrow. It's the unknown that has me worried.
-Eric


Eric Case, CISSP <ecase@Email.Arizona.EDU>
Support Systems Analyst, Principal
Department of Chemical & Environmental
Engineering <http://www.CHEE.Arizona.EDU>
1133 E James E. Rogers Way (Room 108)
Tucson, AZ 85721-0011
Mobile Phone 520-275-6436


Reply
0 Kudos
dougm_hyperic
VMware Employee
VMware Employee

ok, I opened an enhancement to implement this: http://jira.hyperic.com/browse/HHQ-405

I'll attach an updated plugin there when it's ready.

On Dec 16, 2006, at 2:36 PM, Eric Case wrote:

> At 07:07 PM 12/14/2006 -0800, Doug MacEachern wrote:
>> It sounds like you'd prefer to have events from all logs tied to a
>> single resource, I can see advantages to that.
>> How about if we change the system plugin to included a check box [x]
>> Monitor all event logs
>> Where, the default would still be the System log, but if the box is
>> checked, the plugin would monitor all?
>
> That would be good. I think the ideal event log monitor would
> send events that have not been excluded (if it doesn't correlate
> the events). An event like booting up will produce a bunch of
> event logs; if we could correlate that "bunch" into a single event
> that would be assume. Given that is not easy to do, I think the
> next best thing is to list the event logs to exclude. Maybe I
> don't care to get a alert every time the system logs the up time,
> every successful log in, any information only events, and "other
> background noise" but anything I didn't tell it to exclude I want
> to know about. If I knew exactly what events to monitor for today,
> I won't know what new ones will be added tomorrow. It's the
> unknown that has me worried.
> -Eric
>
>
> Eric Case, CISSP <ecase@Email.Arizona.EDU>
> Support Systems Analyst, Principal
> Department of Chemical & Environmental Engineering <http://
> www.CHEE.Arizona.EDU>;
> 1133 E James E. Rogers Way (Room 108)
> Tucson, AZ 85721-0011
> Mobile Phone 520-275-6436
>

Message was edited by: rmorgan
Reply
0 Kudos
dougm_hyperic
VMware Employee
VMware Employee


Meant to follow up earlier... this feature was included in the 3.0 release.  Eric, let us know if this does what you need!

On Dec 18, 2006, at 8:00 PM, Doug MacEachern wrote:

ok, I opened an enhancement to implement this: http://
jira.hyperic.com/browse/HHQ-405
I'll attach an updated plugin there when it's ready.

On Dec 16, 2006, at 2:36 PM, Eric Case wrote:

> At 07:07 PM 12/14/2006 -0800, Doug MacEachern wrote:
>> It sounds like you'd prefer to have events from all logs tied to a
>> single resource, I can see advantages to that.
>> How about if we change the system plugin to included a check box [x]
>> Monitor all event logs
>> Where, the default would still be the System log, but if the box is
>> checked, the plugin would monitor all?
>
>      That would be good.  I think the ideal event log monitor would 
> send events that have not been excluded (if it doesn't correlate 
> the events).  An event like booting up will produce a bunch of 
> event logs; if we could correlate that "bunch" into a single event 
> that would be assume.  Given that is not easy to do, I think the 
> next best thing is to list the event logs to exclude.  Maybe I 
> don't care to get a alert every time the system logs the up time, 
> every successful log in, any information only events, and "other 
> background noise" but anything I didn't tell it to exclude I want 
> to know about.  If I knew exactly what events to monitor for today, 
> I won't know what new ones will be added tomorrow.  It's the 
> unknown that has me worried.
> -Eric
>
>
> Eric Case, CISSP  <ecase@Email.Arizona.EDU>
> Support Systems Analyst, Principal
> Department of Chemical & Environmental Engineering   <http://
> www.CHEE.Arizona.EDU>
> 1133 E James E. Rogers Way (Room 108)
> Tucson, AZ 85721-0011
> Mobile Phone 520-275-6436
>



Reply
0 Kudos