Icon

Comments have been closed on this page. Please use AppMon & UEM Open Q & A forum for questions about this plugin.

Overview

 

The Windows Event Log Plugin will monitor the Windows Event Log for the existance of a given event. It stores the event details in a SQL database so that it knows where it ended the last time it ran so it's not seeing the same events over and over.

Name and Version

Windows Event Log Monitor

Compatible with

dynaTrace 5.x, 6.x

Author

Derek Abing

License

dynaTrace BSD 

Support Level

Community Supported

Download

com.eventLogMonitor_2.0.1.jar

Screenshots

Installation

Import the plugin on the dynaTrace Server. For more details see Plugins

The table in the database can be created by running this SQL script or you can use the screenshot from the Design view in the table to manually enter the values. The script will create the table on a database called dynaTracePluginDB. Change this name if you desire

 

Monitor Properties

When setting up the monitor you need to define the following configuration properties 

PropertyDescription
EventLogEnter which Event Log the event is in (i.e. Application, System, Security, etc).
Search Term

The search term obtained from the XML in windows event log. You can either tweak the values from the below example. Otherwise, in order to obtain the Search Term in regex format, you have to log onto the server, apply the filter (as seen in the image) and then click on the XML tab which will show you the XML of the filter. Remove everything from the filter (as seen in the image) and you'll want to make sure your Date/Time is set to greater than (">"). That way the first time the Monitor runs it will start with the records after that date and will keep track of where it left off going forward.

 

EXAMPLE: *[System[Provider[@Name='eventlog' or @Name='Microsoft-Windows-Eventlog'] and (EventID=6008) and TimeCreated[@SystemTime>'2014-01-13T06:00:00.000Z']]]

SQLServer  Enter the name of you SQL Database Server where you created the dynaTracePluginDB database.
Username Enter the username to connect to the database. (SQL Server Authentication) 
Password Enter password for username used. (SQL Server Authentication) 
Mail Host

Optional field that points to the ip/hostname of a smtp server which is accessible from the collector where the monitor runs.

When this field is configured, each individual event that matches the Search Term will be e-mailed in XML format.

Also, when this field is configured, the next three fields are required too.

Mail FromMail sender e-mail address (check with your mail Administrator for source domains which are accepted by the SMTP server above).
Mail ToMail recipient(s) who should receive the event details.
Mail SubjectSubject header for the mails to be sent.

Monitoring Measures

MeasureDescription
New MessageIf a new event log message is found this will be the number of matched events since the last check, otherwise it will be 0
  1. Anonymous (login to see details)

    Hello,

    I want to say thanks for creating this plug-in and sharing with the community.    It worked great!   The only thing we had to do extra was run the collector service under a user that had access to event logs on the target servers.

    The customer I was working with asked if the detailed message,  when the plug matches,  can be sent in an email message as today only the server,  rule name,  value 0 or 1 is passed, etc...    

     

    They don't care about the info being written to the performance warehouse,  and i think that would be overkill also.     Having the details in the email would save them the time  of having to go to that server and open the details.      

    I was talking to an internal resource and he said it may be possible by either adding extra parameters to the current plug-in that could be passed in an incident or combining this plug-in so it also send the email.

    Regardless I want to pass along the feedback that it worked great and the first enhancement request.

    Regards,

    Mike

  2. Anonymous (login to see details)

    The Incident framework can't see context level information from a Monitor so it needs to be stored somewhere to be referenced. Only threshold related data is exposed to incidents. For us, whenever it finds a new event it stores the information in a database (this isn't the dynaTrace database, but a seperate database) and we've configured our custom email plugin that we wrote to just query for those occurences so it passes the event details within the alert.

  3. Anonymous (login to see details)

    Hi Derek,

    Thanks for the update.   So you custom email program queries the dynaTracePluginDB used for this plug-in?   Also,  are you will to share your customer email program?   I can be reached at michael.ferguson@dynatrace.com.    This is for a customer of mine.    

    Thank you again for your contribution as this plug-in is awesome!

    Mike

  4. Anonymous (login to see details)

    Hi Mike,

    Unfortunetly I can't share it since it won't do any good since it's so specific to our environment. This same custom Action plugin has a bunch of things built into it specific to us. This custom email plugin could probably be modified to accomodate this though.

    Extended EMail Action Plugin

    Thanks,

    Derek

  5. Anonymous (login to see details)

    Hi, 

     

    I am having issues when using the plugin. In the logs I get the following error and I'm not sure if this could be related to same issue that is mentioned above?

    Error occured while getting initial database connection: : Cannot open database "dynaTracePluginDB" requested by the login. The login failed. ClientConnectionId:.....


    Thanks

     Katlego

  6. Anonymous (login to see details)

    Katlego,

    Sounds like the SQL account you entered into the monitor can't connect to the database. Can you verify?

    Thanks,

    Derek

  7. Anonymous (login to see details)

    Hi,

     

    I found the issue. The Plugin does not have a db table that you can specify and this is a big problem espcially when you have a db that has been created for storage.

     

    Please can you add the db table name instead of using the custom one. This will make the plugin more friendly to the end user.

     

    Thanks

    Katlego

  8. Anonymous (login to see details)

    Hi

    I am trying to implement Event monitor at a customer site and I get an error “An error has occured in the processing of the XML.  Please check the logs for more information.”

    1.jpg

    The configuration is attached below

    2.jpg

    3.jpg

    Please refer to the attachments in this post and lt me know if I am going wrong some were in configuring this plugin

    Regards

    Ibrahim

  9. Anonymous (login to see details)

    If all we want from this is getting a count on the occurrence of the incidents to alert off of, can this be run without setting up/connecting to a SQL server?

  10. Anonymous (login to see details)

    Hi,

    Can you please help us on the issue which Ibrahim reported. We have cross checked the logs and installations of the plugins.

    Regards,

    Aravindhan

  11. Anonymous (login to see details)

    Aravindhan,

    Did change the the Dynatrace Collector Service under a domain user that had access to event logs on the target servers?   If you didn't then this is probably your issue.

    Thanks,

    Mike

  12. Anonymous (login to see details)

    Michael,

    After we update the Search term with the help sample provided in the page , we could see that the plugin execution was completed successfully.  but still we are seeing that the result  as zero even the log is available. We have used the below query to search.

     *[System[Provider[@Name='EventLog' or @Name='Microsoft-Windows-Eventlog'] and (EventID=2153)]]

    Where we could see the query has been updated in the table as it is.

    Note: The domain user has been used to run the Collector Service which had access to target servers and event logs.

    Please help us to resolve this.

     

    Thanks,

    Aravindhan

  13. Anonymous (login to see details)

    Aravindhan,

     I am not the author of the plug-in but can try an help.    In the search team in the plug-in config did you add date and time to you query.   If not it wont work.   This is from above in the Plug-in Help.

    "you'll want to make sure your Date/Time is set to greater than (">"). That way the first time the Monitor runs it will start with the records after that date and will keep track of where it left off going forward."

    EXAMPLE: *[System[Provider[@Name='eventlog' or @Name='Microsoft-Windows-Eventlog'] and (EventID=6008) and TimeCreated[@SystemTime>'2014-01-13T06:00:00.000Z']]]

    Thanks,

    Mike


  14. Anonymous (login to see details)

    Mike,

    We have tried by appending the time filter as well. Still we could not see that data.

    Regards,

    Aravindhan

  15. Anonymous (login to see details)

    Mike,

    As stated earlier, the execution was completed successfully. But we are not getting the values eventhough there is a message.

    Thanks,

    Aravindhan

  16. Anonymous (login to see details)

    Mike,

    Is there any update in this plugin issue.

    Thanks,

    Aravindhan

  17. Anonymous (login to see details)

    Hi Aravindhan,

    Sorry, I am not the author of the plug-in,  but I have used it before.     Can you put together a word doc of the screens of your plug-in setup and send it michael.ferguson@dynatrace.com.     I will take a look and see and respond back to you and possibly do a webex if your open.    Also,  please confirm you setup the SQL Database that's required for this plug-in to to work.

    Thanks,

    Mike

  18. Anonymous (login to see details)

    I just tried it again on my local instance and used this as my Search Term in the Plugin Config.    I am looking for Event ID 7036 in the WIndows System Event Log.

    *[System[(EventID=7036) and TimeCreated[@SystemTime>'2015-11-19T06:00:00.000Z']]]

    Thanks,

    Mike

     

  19. Anonymous (login to see details)

    Hi Mike,

    Thanks for the response. I have send the logs and screenshots for the plugin result. 

    Regards,

    Aravindhan

  20. Anonymous (login to see details)

    Hi There,

    Are there any plans to update this plugin to use AD authentication to access the database? or is it possible to get the source code to modify it?

    Thanks,

    Luis

    1. Anonymous (login to see details)

      Luis, you can download the jar and it will contain the source, just extract the contents as you would in a compressed (zip) file.

  21. Anonymous (login to see details)

    If I have an old 2003 server do you think it would work on that? There is no XML view for filtering as that was not added until 2008 I think. Is the xml filter used by the plugin or needed to be passed to windows?

  22. Anonymous (login to see details)

    Nice plugin ... I've been reviewing it, and have read the historical requests/comments.

    If anyone is interested, I can share/publish my updates :

    • finding/matching events doesn't put the monitor plugin's status in warning - this is a perfectly normal event.
    • the plugin doesn't return 0 or 1, but the actual count of matched events.
    • optional configuration fields are added to allow mailing out each individual event in XML format.
    • quotes were added around the log filename, to support log files with spaces in their names.

    Future improvements to be added:

    • detect query issues - identify errors when result is empty [ e.g.: security errors, or bad command/filter ]
    • time progression is limited to last matched event (instead of last check) - rare events may require a full log scan on each invocation
    1. Anonymous (login to see details)

      Hi Jeroen,

      can you please share your updates. Here you can find a description on How to release a new version of a plugin

      Would be great to have a new version of this plugin.

      Ingo

  23. Anonymous (login to see details)

    Hi Folks,

    I've been experimenting with this for a few days and it doesn't seem to work for me.  Here is what I'm seeing:

    The query is being run, data is coming back from the Windows event logging system, but it is not being written correctly to the database.  

    The fields RecordNumber and EventID will both receive a copy of the Search Term string.  The fields Host and EventSource get the correct values.  And the field EventDescription gets one very long string which appears to be all the matching events concatenated into one string.

    I'm running on Windows Server 2008 R2 and using DynaTrace 6.2.6.1006

    Any advise?

    Thanks,

    Bill

  24. Anonymous (login to see details)

    Hi,

    I understand now.  The DB contents aren't for general usage, only for usage by the plugin.  Ignore what goes in there.

    When one configures the plugin with the filter value developed as the instructions say, it will set or clear it's measure depending on if it finds the event or events you have it configured for.

    Works great.  Just requires close reading of the instructions.

    Bill

  25. Anonymous (login to see details)

    Hey everyone,

    I was using this plugin with success in 6.0.  I have recently upgraded to 6.5 and now the plugin isn't capturing any of the Windows events as it did in 6.0.  Is there anything I need to redeploy to make this plugin work after the upgrade?  I checked the eventMonitor log file and nothing is being logged.  The plugin is running successfully.  It's just not capturing the Windows events.  Nothing has changed with the plugin config.

    Thank you very much for any help,

    Tom

    1. Anonymous (login to see details)

      Never mind, I just seen that it was caused by the 6.5 Plugin Collector was not using a domain account.

       

  26. Anonymous (login to see details)

    Hi

     

    I'm having no luck connecting to the database which is remote, does it have to be on the dynaTrace server ?

     

    We have a dedicated vantage database instance at:-

    DPCCSQL01\VANTAGE on which I created the database dynaTracePluginDB and ran the script above.

    Putting this in the server string field i get the following error message in the log file :-

     

    2016-11-09 13:11:39 SEVERE [EventMonitor@VantageView Log Monitor_0] Error occured while getting initial database connection: : Login failed for user 'Vantage'. ClientConnectionId:d96225d6-31e9-4199-a538-14afa70e838f

     

    I have checked the credentials for Vantage several times and they are correct and I can log on to that database instance directly using the SQL client ?

     

     

     

     

     

     

     

     

     

     

     

    1. Anonymous (login to see details)

      Hi,

      are you using SQL Server authentication or Windows Authentication for the Vantage user ? When I tried, I couldn't get it to work with Windows authentication, so I created a local SQL db user to access these tables.

  27. Anonymous (login to see details)

    Hi Jeroen

    Thanks for the response, there is a vantage account in SQL with rights to the database and there is also a vantage account on the domain without rights to the database. Perhaps I should create a dedicated SQL user account with a different name, just to test it.

  28. Anonymous (login to see details)

    Hello everyone,

    I am also trying to display the contents of the "Detailed Message" section in an email.  Has anyone figured out how to achieve this?  I've tried all the parameters available in the Extended Mail Action Plugin, but unfortunately, this didn't work either.

    Thanks,

    Tom

    1. Anonymous (login to see details)

      Release 2.0.1 adds new properties and functionality to achieve this.

      WKR, Jeroen

  29. Anonymous (login to see details)

    Hello All,

    I just wanted to confirm with anyone who might know the answer to this, not sure if I may have missed this info, but is this plugin compatible with Windows Server 2012? I tried querying a Windows Server 2008 and it worked just fine, I'm receiving the alert and all, but when I query the same Event ID and Log on the Server 2012, it stated that it ran successfully in DynaTrace, but with it did not trigger any alert.

    Thanks,
    Eri  

    1. Anonymous (login to see details)

      Nevermind; realized that the collector was running as local system account, changed it to run with domain svc account, I'm getting the alert now.