cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to add more windows event Logfiles (not process specific logs) to monitor?

Hello, Currently Dynatrace monitors only Application,System & Security Log files from the path C:\Windows\System32\winevt\Logs but there are other logs too that are not monitored and Dynatrace doesnt provide a way to manually configure these log files. Manually adding log files are provisioned only at process level but not at Host level. Is there a way to achieve this? May be a plugin?

16 REPLIES 16

Jacek_Glowczews
Newcomer

Hi @Srinivas V.

Please, add a line (CustomFile=Process Group Id, log path) in ruxitagentloganalytics.conf
(https://www.dynatrace.com/support/help/how-to-use-dynatrace/log-monitoring/configuration/log-analyti...)

For example:
CustomFile=0x201744FC09941B85, C:\Windows\System32\winevt\Logs\Windows PowerShell.evtx


Best regards
Jacek

Hi @Jacek G. , Which process group to choose? as i said these are host level logs.

I added this entry for a random processgroup, but dynatrace hasnt detected it

Hi @Srinivas V.

>>Which process group to choose? as i said these are host level logs <<
My mistake, I thought that the problem is, that you would like to add *.evtx only from one host ->> that's why I mentioned about this possibility

>>I added this entry for a random processgroup, but dynatrace hasnt detected it <<
I have just tested this solution and it works.
Check please, that you used a proper PG ID (not PGI ID)

If you want, I can check your configuration (give me the link)

Best regards
Jacek

Hi @Jacek G., I did add the entire entity ID for thr process group. I tried adding a # prefix as well to the entry but it dint work.


here is the piece from my conf file:

#CustomFile=PROCESS_GROUP-CF99C6F00629C9BB, C:\WINDOWS\System32\winevt\Logs\CxMonSvcLog.evtx

Hi @Srinivas V.

Please, add this line
CustomFile=0xCF99C6F00629C9BB, C:\WINDOWS\System32\winevt\Logs\CxMonSvcLog.evtx

(without #)

Thanks @Jacek G., it works but cant it be added at host level?

Hey @Srinivas V.

Unfortunately no.
It is reserved only for 3 Windows Events Logs: Application, System and Security.

Thanks @Jacek G.

ChadTurner
Leader

You can do this from the settings page. To get there, navigate to the host you intend to collect more log files off of, and once there select '...' or "edit" and select log Analytics. From there you will be able to add a log detection rule at the host level and not at the process level.

Let me know if you need a hand with this.

-Chad

Hi @Chad T., I dont see log analytics section within the host section.

interesting, Granted its been a while since we've done this, but i did see where you might need to go to the windows systems at a process level and define the location. Im confirming this now with support:

-Chad

TO have it at the host level, you will need to adjsut the Config file and then recycle the oneagent, here are the steps to do so:

https://www.dynatrace.com/support/help/how-to-use-dynatrace/log-monitoring/configuration/log-analyti...

You can only change it in the UI at the process level.

-Chad

Hi Chad, Could you please point me at the correct config item to use to display the log at host level?

For host level you will need to do the following:

1.) Navigate to the following Directory :

Windows: C:\ProgramData\dynatrace\oneagent\agent\config\

Linux: /var/lib/dynatrace/oneagent/agent/config/

2.) Edit the ruxitagentloganalytics.conf File

- If this file does not exist, copy the ruxitagentloganalytics.conf.template file and paste the copy into the directory as listed in step 1, but rename it to ruxitagentloganalytics.conf.

3. Ensure that the following is included in the Config file: (If not, add AppLogAutoDetection=true)

  • AppLogAutoDetection
    Enables auto-detection of log files on this host. If set to false, logs won't be auto-detected.
  AppLogAutoDetection=true

4.) Put in the following in the log file : (Put in the Path of the log file)

  • LogEntryPrefix
    Defines the prefix of the log entry. If a match is found, the log line will be considered a log entry.
  LogEntryPrefix=/var/ossec/logs/alerts/alerts.log,** Alert

5.) Save the file and recycle the Oneagent, this will then allow the oneagent to find and capture the log file that you just defined.

-Chad

Hi Chad, when i add the Logpath it wont allow me to add any new files at host level, it just starts monitoring all the log files it autodiscovered and says any new log will be monitored automatically