Solved: Re: How to add more windows event Logfiles (not process specific logs) to monitor?

srinivas_vaddin · ‎10 Jun 2020

Hello, Currently Dynatrace monitors only Application,System & Security Log files from the path C:\Windows\System32\winevt\Logs but there are other logs too that are not monitored and Dynatrace doesnt provide a way to manually configure these log files. Manually adding log files are provisioned only at process level but not at Host level. Is there a way to achieve this? May be a plugin?

Jacek_Glowczews · ‎10 Jun 2020

Hi @Srinivas V.

Please, add a line (CustomFile=Process Group Id, log path) in ruxitagentloganalytics.conf
(https://www.dynatrace.com/support/help/how-to-use-dynatrace/log-monitoring/configuration/log-analyti...)

For example:
CustomFile=0x201744FC09941B85, C:\Windows\System32\winevt\Logs\Windows PowerShell.evtx

Best regards
Jacek

srinivas_vaddin · ‎10 Jun 2020

Hi @Jacek G. , Which process group to choose? as i said these are host level logs.

srinivas_vaddin · ‎10 Jun 2020

I added this entry for a random processgroup, but dynatrace hasnt detected it

Jacek_Glowczews · ‎10 Jun 2020

Hi @Srinivas V.

>>Which process group to choose? as i said these are host level logs <<
My mistake, I thought that the problem is, that you would like to add *.evtx only from one host ->> that's why I mentioned about this possibility

>>I added this entry for a random processgroup, but dynatrace hasnt detected it <<
I have just tested this solution and it works.
Check please, that you used a proper PG ID (not PGI ID)

If you want, I can check your configuration (give me the link)

Best regards
Jacek

srinivas_vaddin · ‎10 Jun 2020

Hi @Jacek G., I did add the entire entity ID for thr process group. I tried adding a # prefix as well to the entry but it dint work.

here is the piece from my conf file:

#CustomFile=PROCESS_GROUP-CF99C6F00629C9BB, C:\WINDOWS\System32\winevt\Logs\CxMonSvcLog.evtx

Jacek_Glowczews · ‎12 Jun 2020

Hi @Srinivas V.

Please, add this line
CustomFile=0xCF99C6F00629C9BB, C:\WINDOWS\System32\winevt\Logs\CxMonSvcLog.evtx

(without #)

srinivas_vaddin · ‎12 Jun 2020

Thanks @Jacek G., it works but cant it be added at host level?

Jacek_Glowczews · ‎12 Jun 2020

Hey @Srinivas V.

Unfortunately no.
It is reserved only for 3 Windows Events Logs: Application, System and Security.

srinivas_vaddin · ‎12 Jun 2020

Thanks @Jacek G.

ChadTurner · ‎10 Jun 2020

You can do this from the settings page. To get there, navigate to the host you intend to collect more log files off of, and once there select '...' or "edit" and select log Analytics. From there you will be able to add a log detection rule at the host level and not at the process level.

Let me know if you need a hand with this.

-Chad

srinivas_vaddin · ‎10 Jun 2020

Hi @Chad T., I dont see log analytics section within the host section.

ChadTurner · ‎10 Jun 2020

interesting, Granted its been a while since we've done this, but i did see where you might need to go to the windows systems at a process level and define the location. Im confirming this now with support:

-Chad

ChadTurner · ‎10 Jun 2020

TO have it at the host level, you will need to adjsut the Config file and then recycle the oneagent, here are the steps to do so:

https://www.dynatrace.com/support/help/how-to-use-dynatrace/log-monitoring/configuration/log-analyti...

You can only change it in the UI at the process level.

-Chad

srinivas_vaddin · ‎12 Jun 2020

Hi Chad, Could you please point me at the correct config item to use to display the log at host level?

ChadTurner · ‎12 Jun 2020

For host level you will need to do the following:

1.) Navigate to the following Directory :

Windows: C:\ProgramData\dynatrace\oneagent\agent\config\

Linux: /var/lib/dynatrace/oneagent/agent/config/

2.) Edit the ruxitagentloganalytics.conf File

- If this file does not exist, copy the ruxitagentloganalytics.conf.template file and paste the copy into the directory as listed in step 1, but rename it to ruxitagentloganalytics.conf.

3. Ensure that the following is included in the Config file: (If not, add AppLogAutoDetection=true)

AppLogAutoDetection
Enables auto-detection of log files on this host. If set to false, logs won't be auto-detected.

  AppLogAutoDetection=true

4.) Put in the following in the log file : (Put in the Path of the log file)

LogEntryPrefix
Defines the prefix of the log entry. If a match is found, the log line will be considered a log entry.

  LogEntryPrefix=/var/ossec/logs/alerts/alerts.log,** Alert

5.) Save the file and recycle the Oneagent, this will then allow the oneagent to find and capture the log file that you just defined.

-Chad

srinivas_vaddin · ‎12 Jun 2020

Hi Chad, when i add the Logpath it wont allow me to add any new files at host level, it just starts monitoring all the log files it autodiscovered and says any new log will be monitored automatically