Re: [Bigsister-general] eventlog Monitoring

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bigsister-general] eventlog Monitoring

Subject: Re: [Bigsister-general] eventlog Monitoring
Date: Thu, 22 Mar 2007 09:43:54 +0100
From: "suppressed" <suppressed>

Hi Paul,

the problem were the tabs between "Application
looks	fine", now it works great, i wonder if i can customize the rule ,
for example for a special event in the  eventlog on the W2k3 Server, has
there been a documentation  ?

Thanks for your help.

Michael

Paul Beeson schrieb:
> Hi Michael,
> 	One thing to check is that the fields in the syslog file are separated by 
> tabs and not spaces which causes the rule to be silently ignored.
> 
> Regards,
> 
> Paul Beeson
> 
> suppressed wrote on 21/03/2007 15:54:30:
> 
>> Hi Geier, hi Peter, hi List,
>>
>> hm this doesn´t work:
>> "#########
>> Application:
>>
>> default                green    0    Application looks fine
>> Source=([^;]+);.*Severity=1: (.*)        red        15    $1: serious
>> error: $2
>> Source=([^;]+);.*Severity=2: (.*)        yellow    15    $1: error: $2
>> ########### "
>>
>> the rest looks like this:
>>
>> "System:
>>
>> default            green   0   System looks fine
>> The (.*) disk is at or near capacity   red   20   $1 fs full
>> Source=([^;]+);.*scsi            red   15   $1: scsi error
>> Source=([^;]+);.*notice            yellow   15   $1: notice
>> Source=([^;]+);.*warning            yellow   15   $1: warning
>> Source=([^;]+);.*fatal            yellow   15   $1: fatal error
>> Source=([^;]+);.*Severity=1: (.*)      red   15   $1: serious error: $2
>> Source=([^;]+);.*Severity=2: (.*)      yellow   15   $1: error: $2
>>
>> #######################################################################
>> Security:
>>
>> default            green   0   Security looks fine
>> EventID=636;.*Source=([^;]+);.*Severity=8: (.*Target
>> Account\sID:\s*%\{.*S-1-5-32-544\}.*)      red   15   $1:  $2
>> EventID=637;.*Source=([^;]+);.*Severity=8: (.*Target
>> Account\sID:\s*%\{.*S-1-5-32-544\}.*)      red   15   $1:  $2
>> Source=([^;]+);.*Severity=1: (.*)      red   15   $1: serious error: $2
>> Source=([^;]+);.*Severity=2: (.*)      yellow   15   $1: error: $2
>>
>> #########"
>>
>> System and Security works fine. It´s a german Windows 2003 SBS Server
>> with Sp1.
>> Any ideas ?
>>
>> Best regards
>>
>> Michael
>>
>> Peter Varlien schrieb:
>>> You probably would want the "default" entry to refer to the application
>>> log, rather than to "security".
>>> Presumably Geir did a cut and paste, and overlooked that detail. ;-)
>>>
>>> There is a lot of cool stuff you can di with the eventlog (Windows) and
>>> syslog (Unix/Linux) configuration files.
>>>
>>> Peter
>>>
>>> On Mon, 19 Mar 2007 09:57:31 +0100, Geir Skomsøy <suppressed>
>>> wrote:
>>>
>>>> suppressed wrote:
>>>>> Hi @all,
>>>>>
>>>>> i wonder if its possible to monitor the "application" eventlog under
>>>>> Windows. We use Win 2003 SBS SP1 and the BS Client Ver. 1_02. The
>>>>> problem is that the service "Microsoft Exchange Information Store
>>>>> service" is running fine, but there is some kind of error with the
>>>>> exchange server and the eventlog indicates that in the application
>>>>> eventlog but bs reports: "- System looks fine - Security looks fine".
>>>>> My uxmon-net:
>>>>> ...
>>>>> localhost(a_different_display_name) eventlog
>>>>> ...
>>>>> Any ideas ?
>>>>>
>>>> Add this to the etc/eventlog logfile:
>>>> #########
>>>> Application:
>>>> default                green    0    Security looks fine
>>>> Source=([^;]+);.*Severity=1: (.*)        red        15    $1: serious
>>>> error: $2
>>>> Source=([^;]+);.*Severity=2: (.*)        yellow    15    $1: error: $2
>>>> ###########
>>>>
>>>> Add your own rules the same way you do with Security and System.
>>>>
>>>>
>>>> Geir
>>>>
>>>> -------------------------------------------------------------------------
>>>> Take Surveys. Earn Cash. Influence the Future of IT
>>>> Join SourceForge.net's Techsay panel and you'll get the chance to
>>>> share your
>>>> opinions on IT & business topics through brief surveys-and earn cash
>>>> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
>>>> _______________________________________________
>>>> Bigsister-general mailing list
>>>> suppressed
>>>> https://lists.sourceforge.net/lists/listinfo/bigsister-general
>>>>
>>>>
>>>
>>>
>>> --Peter Værlien
>>> Fritz Aabakkens vei 17, 7072 Heimdal, Norway
>>> Telephone: 917 69 384, E-Mail: suppressed,
>>> http://varlien.home.online.no
>>> It always takes a Clinton to clean up after a Bush - Hillary 2008
>>>
>>>
>>>
>> -------------------------------------------------------------------------
>> Take Surveys. Earn Cash. Influence the Future of IT
>> Join SourceForge.net's Techsay panel and you'll get the chance to share your
>> opinions on IT & business topics through brief surveys-and earn cash
>> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
>> _______________________________________________
>> Bigsister-general mailing list
>> suppressed
>> https://lists.sourceforge.net/lists/listinfo/bigsister-general
> 
> 

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Bigsister-general mailing list
suppressed
https://lists.sourceforge.net/lists/listinfo/bigsister-general

Prev by Date: [Bigsister-general] skin for alarm
Next by Date: Re: [Bigsister-general] skin for alarm
Previous by thread: [Bigsister-general] skin for alarm
Next by thread: [Bigsister-general] icmp ping check stops
Index(es):
- Date
- Thread

Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.