The component monitor eventually returns to its original status as time passes so you may not notice a matching event unless you create an alert to email you when the component goes down.
This component monitor uses the following ports:
- TCP/135; RPC/named pipes (NP) TCP 139, RPC/NP TCP 445, RPC/NP UDP 137, RPC/NP UDP 138
Statistic
The number of recent events matching your defined criteria.
Field Descriptions
Description
This field provides a default description of the monitor. You have the ability to override the default description by adding to or replacing the text, which will then be automatically saved. The variable to access this field is $UserDescription.
Enable Component
Determines whether the component is enabled. Disabling the component leaves it in the application in a deactivated state not influencing either SolarWinds SAM application availability or status.
Credential for Monitoring
Select a Windows credential that has access to the Windows event logs on the target node. This is typically a Windows administrator-level credential. If the credential you need is not already present in the credentials list, use the Quick Credentials section to add a new credential.
Fetching Method
Select either WMI or RPC.
RPC uses significantly more bandwidth than WMI.
Log to Monitor
Select Any Log to match events found in any log or select a specific log to restrict your search. If the log you want is not listed, select Custom.
Custom Log to Monitor
Enter the log names as they appear in the Windows event log viewer. Separate multiple log names with commas. Example: Internet Explorer, SolarWinds.net.
Match Definition
Select Any error in log generates a match if that is sufficient for your needs, or select Custom to further restrict the match criteria.
Log Source
Enter a log source to further restrict the match criteria or leave the field blank to match all possible log sources.
Event ID
Select the desired option to further restrict the match criteria for event IDs or leave the field blank to find all possible event IDs:
- Find all IDs – match all event IDs
- Match only specific IDs – match all event IDs listed (separate multiple IDs with commas)
When you use multiple event IDs separated by commas, the logic used to combine these event IDs is “OR,” so all events that contain one of the event IDs listed are matched.
- Exclude specific IDs – exclude all event IDs listed (separate multiple IDs with commas)
Event Type
Select Any Event to match any event type in the log, or select a specific event type to further restrict the match criteria.
User who generated Events
Enter a user name to further restrict the match criteria. Leave this field blank to match any users. Enter "N/A" to select only events with no specific user.
Include events
Select With Keywords Below to specify keywords or phrases as the match criteria. Select Matching Regular Expression Below to specify regular expressions that match text that appears in the events. For information about the regular expressions syntax, see .”NET Framework Regular Expressions,” http://msdn.microsoft.com/en-us/library/hs600312%28VS.80%29.aspx.
Exclude events
Select With Keywords Below to specify keywords or phrases as the match criteria. Select Matching Regular Expression Below to specify regular expressions that match text that appears in the events. For information about the regular expressions syntax, see .”NET Framework Regular Expressions,” http://msdn.microsoft.com/en-us/library/hs600312%28VS.80%29.aspx.
Number of past polling intervals to search for events
Enter the number of polling intervals worth of time you want to search the event logs. For example, to always search the past 20 minutes of event logs, you could set the application polling interval to five minutes and then set the Number of Past Polling Intervals to four (4 x 5mins = 20mins). Fractional values are valid.
Collect Detailed Data of Matched Events
Message and other details of matched events will be available for viewing and alerting when enabled.
If a match is found in a polling period, component is
Select whether a found match should set the component status to Up or Down. You can also take action using the Based on Event Types, or Based on Event Count options.
- Based on Event Types - With this option, the result status of the component monitor will never be down for a successful poll:
- Critical - When there is at least one event with a severity of Error or FailureAudit.
- Warning - When there is at least one event with a severity of Warning.
- Up - When all matched events are either Informational or SuccessAudit.
- Based on Event Count - With this option, the status of the component monitor will never be down for a successful poll and the thresholds for the returned value will be applied against the number of matched events.
Convert Value
Checking the Convert Value check box opens the Formula box. From here, you have the ability to manipulate the returned value with a variety of mathematical possibilities. You can choose common functions from the drop down lists to manipulate the returned value, or you can select the Custom Conversion option. For more information, see Conversion value.
Statistic Threshold
This field allows you to specify when a threshold that indicates a warning or critical level has been breached. Logical operators are in the drop down followed by a blank field for you to enter the value of this threshold. For example: Less than 15 for warning, Less than 5 for critical.See setting Application Monitor Thresholds for more information.
User Notes
This field allows you to add notes for easy reference. You can access this field by using the variable, $UserNotes.
Source: http://docphy.com/technology/computers/software/windows-event-log-monitor.html
No comments:
Post a Comment