• No results found

EVENT LOG MANAGEMENT...

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "EVENT LOG MANAGEMENT..."

Copied!
15
0
0

Loading.... (view fulltext now)

Download now ( 15 Page )

Full text

(1)

Event Log Management

EVENT LOG MANAGEMENT ... 1

Overview ... 1

Application Event Logs ... 3

Security Event Logs ... 3

System Event Logs ... 3

Other Event Logs ... 4

Windows Update Event Logs ... 6

Syslog ... 6

Event Log Options ... 6

Filtering the Event Logs ... 7

Filter by Drop-down ... 7

Event Log Configuration ... 7

Event Blacklist ... 8

Adding an Event Log to the Blacklist ... 10

Modifying an Event Log in the Blacklist ... 10

Deleting an Event Log from the Blacklist ... 10

Viewing Event Log History ... 10

Creating Event Log Monitors ... 12

Creating a Monitor for an Event Log ... 12

Creating a Blacklisted Event Monitor ... 12

Event Log Summary Report ... 14

Troubleshooting ... 14

Event Log Monitors Failing to Alert ... 14

Event Logs Causing Agent or Computer to Crash ... 14

Overriding the Built-In Event Log Limitations ... 14

Event Log Error Codes ... 15

Document Revision History ... 15

Overview

The Logs tab is one of the many tabbed screens that make up the Computer Management screen. The Logs tab contains event log records based on the Windows Event Viewer for the last 24 hours. Event logs record significant events on the agent computer, such as security-related events (e.g., whether a user trying to log on to Windows was successful).

The Logs tab is broken down into five sub-tabs, each giving detailed information on a specific type of event log: Application, Security, System, Other and Windows Update.

This document will provide you with detailed information on how to access the event logs, blacklisting events and creating tickets and monitors based on events.For information on the other tabbed screens of the Computer Management screen, please refer to those documents.

To access the Logs tab:

1. From the Control Center navigation tree, expand Clients > Client > Location and then double-click the agent computer.

2. Click the Logs tab.

(2)

NOTE: For detailed message explanations, recommended user actions, and links to additional support and resources, visit the Microsoft Events and Errors Message Center.

Figure 1: Logs—Application

NOTE: The event logs are updated by the agent’s inventory schedule and Event Log Mode (inventory only uses schedule, immediately send errors, immediately send all, etc.) defined by its template. To manually update the inventory, select Begin > Commands > Inventory > Resend Events. For more information on Event Log Mode and scheduling, refer to the Agent Templates documentation.

Table 1: Log Tab Field Descriptions

Field Name Description

Log Name The type of event log (e.g., application,

security, system, etc.) and whether it is an informational , warning , or error log.

Log Source The source of the event. This can be the

name of the program, a system component or an individual component of a large program.

Log EventID An event number that identifies the event

type. The Event ID can be used to identify what occurred in the system.

(3)

Log Message The message of the log entry.

 Failure events will include the full message.

 Warnings & Error events will include the first 150 characters of the message

 Info or Success Audit events will contain the first 100 characters of the message

 Success events for Event IDs 4648, 4647, 4624 and 4634 will include the full message.

Additional Fields: These fields are not displayed by default. To add any of these fields,

right-click on the column header and select Field Chooser > the desired field type.

Log Times Occurred Displays the number of times this event has

occurred in a row. If the event does not occur for 31 days, then the count is reset to 0. This can be altered in the Event Log History field (Dashboard > Config > System > History

Retention).

Event BlackListed A ‘1’ signifies the event has been blacklisted,

a ‘0’ signifies it has not.

Log Event type The type of log entry: Information, Warning, or

Error. The default Log Name field also provides this information in graphical format.

 Informational

 Warning

 Error

TIP: Double-click on any entry in the Logs tab and a prompt will open to perform a search for the Event ID. Click Yes at the prompt to perform a search on EventID.net or No to perform a Google search of the event log message. Click Cancel to close the prompt.

Application Event Logs

The application logs contain events logged by programs. For example, file errors. Events that are written to the application log are determined by the developers of the software program.

To access the application logs, click on the Application tab from the Logs tab.

Security Event Logs

The security logs record events such as valid and invalid login attempts, as well as events related to resource use.

To access the security logs, click on the Security tab from the Logs tab.

System Event Logs

The system logs contain events logged by Windows system components. For example, if a driver fails to load during startup. Windows predetermines the events that are logged by system components.

(4)

Other Event Logs

The Other tab is to include other event logs that do not appear in the other tabs. For example, Vista+ and other similar OS's now use Crimson Event logs and need to be added in order for them to appear on the Other tab. This allows you to subscribe to events for better management.

NOTE: There are several default crimson log channels LabTech will subscribe to automatically if detected: System, Setup, Security, Application, DFS Replication, Directory Service, DNS Server, and AppAssure. Logs with these names in the title will automatically be added to the Other tab.

To add the program event logs:

1. From the agent machine, select Start > Control Panel > Administrative Tools and double-click Event Viewer. Depending on the OS, you may have to select System and Security, then Administrative Tools.

Figure 2: Event Viewer

2. In the left pane, navigate to the folder that has the logs you want to subscribe to. 3. Select one of the logs and take note of the name (e.g., RMM System).

4. From the agent machine, click the Windows Start button and type ‘regedit’ in the Search field and press [Enter].

5. Right-click on the proper registry folder:  For a 32bit system:

(5)

 For a 64bit system:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\LabTech\Service\Cri msonEventChannels

Figure 3: Registry Editor

6. Select New > DWORD (32-Bit) Value.

7. Enter the name of the log you obtained from list of logs for the name of the registry key.

8. Double-click on the new value to open the Edit window. Figure 4: Edit DWORD (32-Bit) Value

(6)

10. In the Value data: field, enter ‘1’.

11. Select the Hexadecimal radio button in the Base field. 12. Click OK.

13. Restart the agent on the computer the CrimsonEventChannels key is being created for. There is a ‘LastEventLogWatcher’ key that monitors the events for the Crimson Event Channels and this only gets created after the

CrimsonEventChannel key is created AND the agent is restarted.

14. Resend the events inventory (Begin > Commands > Inventory > Resend Events) or wait until the scheduled time the inventory updates. The desired log files should now be added to the Other tab.

Windows Update Event Logs

The Windows Update logs are generated by the Windows Update agent. These logs contain information on OS patches and upgrades.

To access the Windows Update logs, click on the Windows Update tab from the Logs tab.

Syslog

Syslog events can be viewed from the Network Probe tab of the probe enabled agent. For more information, refer to the Network Probe documentation.

Event Log Options

Several options are available from the Logs tab. Refer to the following table for full details. To perform any of these functions, right-click on an event log item and select the appropriate option.

Table 2: Event Log Options

Name Description

Refresh Logs Refreshes the event logs in the list from the

database, in the event new logs have been received from the agent.

Blacklist Event

Add to Blacklist Adds an item to the event blacklist. For a list

of all blacklisted events, go to the Event

Blacklist tab in Dashboard > Config > Configurations. Events can also be

blacklisted from this screen.

Add Blacklist Critical Flags event as a critical category event and

adds the event to the master event blacklist (Dashboard > Config > Configurations >

Event Blacklist). Events added to the

blacklist will initiate an alert if you are using the event log internal monitors when the event re-occurs.

Add Blacklist High Flags event as a high category event and

adds the event to the master Event Blacklist (Dashboard > Config > Configurations >

Event Blacklist). Events added to the

(7)

Add Blacklist Disk Flags event as a disk category event and adds the event to the master Event Blacklist (Dashboard > Config > Configurations >

Event Blacklist). Events added to the

blacklist will initiate an alert if you are using the event log internal monitors when the event re-occurs.

Create Ticket from Event Opens a Ticket window populated with the

event log information. From this screen, you can assign a technician, set a due date, and add more descriptive information.

Create Event Monitor Creates a system monitor for that particular

event. By default, the monitor will check the system every minute. Refer to the Remote

Monitors documentation for more

information.

Create Event Internal Monitor Creates an internal monitor for that particular event’s Log EventID. Refer to the Internal

Monitors documentation for more information

on internal monitors.

NOTE: To view the event logs blacklist, select Dashboard > Config > Configurations > Event Blacklist.

Filtering the Event Logs

Filters can be used to narrow the results. Filters allow you to query the database for information without needing an in-depth knowledge of the database schema or SQL. 1. Click on the No Filter button. ‘No Filter’ will be the default setting. Clicking the

button will toggle back and forth between ‘No Filter’ and ‘Filtered’. To access the filters, click on the down arrow located to the right of the text.

2. Choose the desired filter (e.g., Log Source). From the menu that displays, select the appropriate operation (Like, Not Like, <=, >=, or =).

3. Enter the criteria associated with the field (e.g., Service Control Manager). 4. Click [Esc] to close the Filter list. If the filter sub-menu is displayed, you will

need to click [Esc] twice to close the Filter list.

For more information on all the available options (search, filters, options, etc.) from this screen, please refer to the Dataviews documentation.

Filter by Drop-down

Above each column of the Logs tab there is a drop-down filled with each item of that column. Select an item from the drop-down and select Search. The list will filter to results with that exact name.

NOTE: A wild card can be used at the beginning or end or the criteria by inserting ‘%’ at the beginning of your search criteria, at the end or both.

Event Log Configuration

(8)

NOTE: The frequency in which agents send event logs to the LabTech server is configured in the agent template. When an agent goes offline, logs created during the down time will be added to the LabTech database the next time the agent checks in.

To change the history retention for the event logs:

1. From the Control Center, select Dashboard > Config > System. Figure 5: System Dashboard

2. In the History Retention section, enter the desired time, in days, in the appropriate fields.

The Critical Event Log Counts field dictates how long information is stored in the History screen’s Critical Event Counts section.

The Event Log History field dictates how long event logs are stored in the Logs tab.

Event Blacklist

The event blacklist is a list of events that have been specified to be monitored by the LabTech system. This is useful when there is a specific event that indicates a potential security risk or critical system failure.

(9)

Figure 6: Event Blacklist

Table 3: Event Blacklist Field Descriptions

Field Name Description

Logname The type of event log (e.g., application,

security, system, etc.)

Source The source of the event. This can be the

name of the program, a system component or an individual component of a large program.

EventID The event number that identifies the event

type. The Event ID can be used to identify what occurred in the system.

EventType The numerical representation of the type of

event. Refer to Table 5: Event Log

Comparisons, for the definitions depending

on the OS used.

Category The category assigned to the event when it

was blacklisted: High, Critical, and Disk.

Message The full message of the log entry.

NOTE: Click Refresh List to reflect recent changes in the event blacklist.

(10)

Adding an Event Log to the Blacklist

To add an event log to the event log blacklist:

1. Enter the Event Log’s Event ID, Source, Message, Log Name, Event Type, and Category into the respective fields.

2. Click Add.

Modifying an Event Log in the Blacklist

To modify a service in the event log blacklist:

1. Select an event log from the list of events blacklisted. The information for the event log should automatically populate in the fields at the top of the screen. 2. Make the desired changes and click Save.

Deleting an Event Log from the Blacklist To delete an event log:

1. Right-click on event log and select Delete. You will be prompted if you want to delete the event log.

2. Select Yes to delete the event log from the blacklist or No to close the window and cancel the operation.

Viewing Event Log History

The Event Logs History tab displays event logs older than 24 hours. The amount of history is based on the settings in the Event Log History configuration (Dashboard > Config > System). The default is 31 days.

To access the History screen:

1. From the Control Center navigation tree, expands Clients > Client > Location and then double-click the agent computer.

(11)

Figure 7: Computer Management Screen

3. From the History screen, select Event Logs. Figure 8: History Screen

From the History screen, you can view the Application Log, System Log, Security Log, Other Logs, and Critical Events Counts.

(12)

based on the settings in the Critical Event Log Counts configuration (Dashboard > Config > System). The default is 7 days.

Creating Event Log Monitors

Monitors can be set up to monitor for a particular event log or to monitor blacklisted events. This can be useful because monitors cannot only generate alerts, but also run scripts to correct issues allowing you to automate solutions to common problems and create reports to optimize solutions for customers. For more information on monitors, refer to the Remote Monitors and Internal Monitors documentation. Creating a Monitor for an Event Log

1. From the Computer Management screen’s Log tab, right-click on the event and select Create Event Monitor or Create Event Internal Monitor.

2. You will be prompted to create the event monitor. Click OK to create or Cancel to close this window. To change the monitor from the default alert template, go to the Monitor tab of the Computer Management screen.

NOTE: The Create Event Monitor option will create a system monitor using the ‘Default-Do Nothing’ alert template and will not require any further action. If you want to change the configuration, please refer to the Remote Monitors and Internal

Monitors documentation.

Creating a Blacklisted Event Monitor

Internal monitors can be created to look for any event in the master Event Blacklist (Dashboard > Config > Configurations > Event Blacklist).

To create a blacklisted event monitor:

1. From the Control Center, select Monitors.

2. Right-click in the monitor list and select New Monitor. Figure 9: New Internal Monitor

(13)

Figure 10: Internal Monitor

4. In the Configuration tab, enter a name for the Monitor in the Monitor Name field.

5. In the Table to Check drop-down, select the ‘eventblacklist’ table. 6. In the Field to Check drop-down, select the field to check:

 EventblacklistID: the number of the blacklisted event in the database  EventID: the event ID number of the event log.

 Source: the program or service that created the log.  LogName: the name of the log the event log is stored in.

 EventType: the numerical value of the type of event. Refer to Table 5:

Event Log Comparisons.

 Message: the message describing the event.

 Category: the category assigned to the event when it was blacklisted. There are several commands to add an event to the events blacklist: Add to Blacklist, Add Blacklist Critical, Add Blacklist High, and Add Blacklist Disk. Each command adds an event to the event blacklist in a different category. Refer to

Table 4: Blacklist Command Comparisons to see which category is flagged with

(14)

Table 4: Blacklist Command Comparisons

Command Event Blacklist Category

Blacklist n/a

Blacklist Critical Critical

Blacklist High High

Blacklist Disk BU

For the rest of the configuration options for an internal monitor, refer to the Internal

Monitors documentation.

Event Log Summary Report

The Event Log Summary report lists the ten most common event log entries for each agent computer, as well as all error event log entries for the past 24 hours. For more information, refer to the Event Log Summary Report.

Troubleshooting

Event Log Monitors Failing to Alert

Since Windows Vista, Microsoft has changed to a new system for event logs called crimson event logging.

Table 5: Event Log Comparisons

Crimson Event Logging Numerical Designation

Description

1 Critical or Error

2 Information/Security Audit Success/Security Audit Failure

3 Warning

This is important to note when creating event log monitors for machines with different operating systems. For example, if you create a monitor to fail with the event type ‘Security Audit Failure’ this will work for a Windows XP machine but that same monitor on a Windows 7 machine will show ‘Security Audit Fail’ as ‘Information’ and will never fail. The best option, for monitors running on all systems, is to set the Event Type to ‘Anything’ and use specific event ID filters.

Event Logs Causing Agent or Computer to Crash

In the agent template, the Event Log Mode can be set to immediately send errors, immediately send errors and warnings, immediately send all, etc. When these settings are configured, the agent will store the event logs in the registry based on the setting. At each check-in, all of these events are sent to the LabTech server during check-in. If the setting is set to ‘immediately send all’, then in some cases, the registry will expand fast. This could cause the check-in to crash and in some cases the agent and the computer. If you are experiencing crashes, check your Event Log Mode setting in the agent template and change it to no higher than ‘immediately send errors’.

Overriding the Built-In Event Log Limitations

(15)

messages to be transferred and stored. Please note that the current database structure will allow up to 1000 characters, which may not be large enough to store lengthy messages. Additionally, it is important to note that the database size will increase substantially depending on the history length following this change.

Event Log Error Codes

The following are event log error codes for LabTech: Table 6: Error Codes

Error Code Description Agent 5001 Errors 5000 All Others DB Agent 2000 All events 2001 Loop Reporting 3000 Plugin Events 3001 Plugin Errors 2001 Mobile 2003 Sync 2004 Licensing 2009 Ticketing 2012 Reports Client 2 Login Event

1 All other events

ASP

100 Normal log entry

101 Error

Document Revision History

Date

Notes

03/01/2012 New

10/27/2012  Added event log error codes

 Added default event log message lengths

 Modified Crimson Event Channels information

 Added additional troubleshooting information

02/05/2013 Added step to ‘Other Event Logs’ section to restart agent.

References

Download now ( PDF - 15 Page - 0.98 MB )

Related documents

Welcome to Neuroscience Group Field at Fox Cities Stadium!

Build your own fajitas and nacho bar with beef and chicken, fresh fruit tray, garden fresh salsa, layered taco dip, and white tortilla chips served with an ulti-. mate

Shelley and Rousseau: The Mirror and the Lake Monika Lee Brescia University College at Western University

One year before he died, Shelley identified tellectual Beauty” and Julie reinforces subjectivism; Rousseau as the only “great name” who ever wrote in the “divine Beauty of

Parallel Visualization for GIS Applications

The main areas of application of these software systems is scientific and engineering visualization like, for example, three-dimensional visualization of CT scans or visual

Leaving the Chisholm Trail: The Eleventh Amendment and the Background Principle of Strict Construction

[Elvery power, jurisdiction, and right, which is not by the said Constitution clearly delegated to the Congress of the United States, or the departments of the government

COMPACT GUIDE. Camera-Integrated Motion Analysis

Open “Image Analysis Events“ dialog box Setup Menu &gt; Event Control &gt; Event Overview &gt;.. Image

The Matrix Conspiracy

A) That some of the subjectivistic and relativistic theories on the universities, which seek to undermine truth (and for instance philosophy and science) are so absurd, that there

Real-Time Business Visibility Solutions For the Real World

To see the Dashboard Event settings and activate the Event, navigate to: Events –&gt; Not Activated –&gt; ‘File Server Monitor - Disks &amp; Shares - Dashboard’.. Click

Event Log Management

To ensure successful implementation of an event log management solution, organizations must plan carefully and pay special attention to both technical and business needs. 1)