Can CA-SystemEDGE monitor Custom Windows event logs? Event logs other than Application, System, Security, DirService (for Directory Service), DnsServer (for DNS Service)

book

Article ID: 35359

calendar_today

Updated On:

Products

CA Server Automation CA Virtual Assurance for IM

Issue/Introduction

Question: 

What Event Logs Can SystemEDGE monitor?

Environment:  

Any Windows

Answer: 

By default the SystemEDGE agent can ONLY monitor:

Event Log
Specifies the name of the event log. This value can be any of the following:
? Application
? System
? Security
? DirService (for Directory Service)
? DnsServer (for DNS Service)
? FileRepService (for File Replication Service)

Event Type
Specifies the type of event. Types 1 through 5 are defined by Windows as the following:
? error(1)
? warning(2)
? information(3)
? success(4)
? failure(5)

Event Source
Specifies the name of the program or module that generated the event. The agent uses regular expressions to match this field.

Event Description
Describes the event. The agent uses regular expressions to match this field.

So the Agents Event Log Monitor Function CAN NOT monitor Anything other than this by default!

But, SystemEDGE has the ability to run mib-extensions. The original intent of an extension is to run and store a variable but since it introduces custom program-ability it is much more powerful than simply performing an action and storing a value. Please see the Additional Information Section below for more details.

Additional Information:

The below sample script has been created to utilize windows functions to do any additional event log monitoring not available in the agent by default.

This is a "Sample" so it may need modification to run or to perform different actions in a case by case basis. So you should use this cautiously and be willing to test and modify the code if utilizing. It is written in powershell (default windows scripting language), so some powershell knowledge may be required.

Below script creates a custom windows Event output file in this case new3.csv, but can be modified to be any file or custom data. You can subsequently either set a return code to be stored in the mib-extension other than 0 OR create a log monitor in systemedge to monitor the output file.

*Note : If you choose to make a log file monitor YOU must ensure the log monitor runs at a more frequent interval then the extension so that you dont miss events since the monitor file new3.csv is re-written by the below extension at each run. For example set the Log monitor to run every 60 seconds and the Extension to run every 120 seconds.

===================== Begin Custom Script Example =============================================

#Testing purposes set skip 0 to bypass last section. 1 for full functionality.
$skip="1"
#Script Output File customize the log file as needed.
$OutFile="c:\new3.csv"
#If EndFile = 1 start at most recent log entry otherwise 0 is start from beginning BUT this is time-consuming (aka slow)
$EndFile = "1"
#Event ID you want to monitor for (you do not need to use this in all iterations)
$EvID="4634"
# Choose LogFile to Monitor AKA security/Application/other
$evtLog= 'security'

# Create Run statement to get first only 1 line (aka last event only) If file doesnt exist assume you need to start at end of windows event log.

# to create a starting point and then end first run of script with just this 1 event.
if ($EndFile = "1" ) {
    if(!(Test-Path -Path $OutFile)){
get-winevent -maxevents 1 -LogName $evtlog | Export-Csv $OutFile
$done="1"
    }
}

# Important note on $command variables   
# A where-object can be added for specific event-ids as well see below version Modify Where-object where-object {$_.Id -eq $EvID -and $_.timecreated -gt $date }
# Get-WinEvent -LogName $evtlog | where-object {$_.Id -eq $EvID -and $_.timecreated -gt $date } | Export-Csv $OutFile
# Below -maxevents can be removed or tuned but this prevents more then 100 reads which may need to be increased but re-reading the entire event file
# is slow and time consuming.

# other custom win event statements below in comments
#Get-WinEvent -LogName $wmilog -Oldest | select message
#Get-WinEvent -LogName $wmilog -Oldest | select -ExpandProperty message
#Temp Override Date/time for testing purposes
#$date = [datetime]"11/9/2015  10:15:58 AM"
#Create run statement if you want the ENTIRE LOG! WARNING!! This will be very slow and time consuming! Use caution adjusting end of FILE 0.
 if(!(Test-Path -Path $OutFile)){
    if ($done -ne "1") {
        if ($EndFile ="0" ) {
        Get-WinEvent -LogName $evtlog | Export-Csv $OutFile
        $done="1"        }
    }
    }

# Get last one row of file into variable
if((Test-Path -Path $OutFile)){
    if ($done -ne "1") {
        #Get last run time data
        $lastDataRow = (Get-Content $OutFile)[-1].Split(",")
        # assign variable to date This location may change depending on logfile/message so it may need adjustment. So ensure you test this in your customization.
        $datedelim = $lastDataRow[17]
        #Trim invalid data charachters from date like double quote, single quote, other
        $date2 = $datedelim -replace '"', ""
        #Comment below echo in to debug date parameter check debug.txt logfile (this is pre-trim/clean)
        #echo $datedelim > c:\debug.txt
        #Comment below echo in to debug date parameter check debug.txt logfile (this is pre-trim/clean)
        #echo $date2 >> c:\debug2.txt
        # Maindata is set to set the command for writing file within date range since its open in this loop, end this loop and open a new write with the date variable stored.
        $done="2"
    }
   
# Important note on $command variables   
# A where-object can be added for specific event-ids as well see below version Modify Where-object where-object {$_.Id -eq $EvID -and $_.timecreated -gt $date }
# Get-WinEvent -maxevents 100 -LogName $evtlog | where-object {$_.Id -eq $EvID -and $_.timecreated -gt $date } | Export-Csv $OutFile
# Below -maxevents can be removed or tuned but this prevents more then 100 reads which may need to be increased but re-reading the entire event file
# is slow and time consuming.

    #If we got the data above filecreate equals 1 and get new data
    # Get new events
        if ($done -eq "2") {
            Get-WinEvent -maxevents 100 -LogName $evtlog | where-object {$_.timecreated -gt $date2 } | Sort-Object -Property TimeCreated | Export-Csv $OutFile
            }
   
            }
#Be nice and reset all variables just in case
$done=""

# echo value of 0 to be returned / stored to be a proper mib-extension.

echo 0

========================== End Custom Script Example ==============================================

 

Please contact CA Support for any follow up questions or instructions. But do realize again the above script is an example, and custom scripting is the responsibility of the consumer to validate and maintain, and program.

Environment

Release: SEAUBC99000-12.7-Server Automation-Base Configuration
Component: