EVENT LOG MANAGEMENT...



Similar documents
There are numerous ways to access monitors:

COMMANDS 1 Overview... 1 Default Commands... 2 Creating a Script from a Command Document Revision History... 10

ACTIVE DIRECTORY DEPLOYMENT

SYSLOG 1 Overview... 1 Syslog Events... 1 Syslog Logs... 4 Document Revision History... 5

STATISTICA VERSION 10 STATISTICA ENTERPRISE SERVER INSTALLATION INSTRUCTIONS

Colligo Manager 6.2. Offline Mode - User Guide

Microsoft SQL Database

Moving the TRITON Reporting Databases

Event Log Summary Report

Contents 1. Introduction 2. Security Considerations 3. Installation 4. Configuration 5. Uninstallation 6. Automated Bulk Enrollment 7.

Colligo Manager 6.0. Offline Mode - User Guide

STATISTICA VERSION 9 STATISTICA ENTERPRISE INSTALLATION INSTRUCTIONS FOR USE WITH TERMINAL SERVER

AV Management Dashboard

Sharpdesk V3.5. Push Installation Guide for system administrator Version

Patch Manager. Overview. LabTech

Security Class Config. Work With Tickets. Shared Hyperlinks Manage Groups. Time and Timers. Timekeeping. Overview. Manager. Ticketing. Trending.

Kaseya 2. Installation guide. Version 7.0. English

Network. Overview. LabTech

Advanced Event Viewer Manual

Colligo Manager 6.0. Connected Mode - User Guide

BIGPOND ONLINE STORAGE USER GUIDE Issue August 2005

SecureAssess Local. Install Guide. Release 9.0

Kaseya 2. User Guide. Version 1.1

LabTech Integration Instructions

GO!NotifyLink. Database Maintenance. GO!NotifyLink Database Maintenance 1

Video Administration Backup and Restore Procedures

Installation Instruction STATISTICA Enterprise Small Business

SQL Tuning and Maintenance for the Altiris Deployment Server express database.

Nobeltec TZ: Microsoft SQL Server problems

Installation and Operation Manual Portable Device Manager, Windows version

Installation Instruction STATISTICA Enterprise Server

McAfee SIEM Alarms. Setting up and Managing Alarms. Introduction. What does it do? What doesn t it do?

STATISTICA VERSION 12 STATISTICA ENTERPRISE SMALL BUSINESS INSTALLATION INSTRUCTIONS

Installation Guide - Client. Rev 1.5.0

Exchange Server Backup and Restore

1 of 10 1/31/2014 4:08 PM

InventoryControl for use with QuoteWerks Quick Start Guide

Upgrading MySQL from 32-bit to 64-bit

Kaseya 2. Quick Start Guide. for VSA 6.1

Microsoft Visual Studio Integration Guide

Installing Active Directory

CONFIGURING TARGET ACTIVE DIRECTORY DOMAIN FOR AUDIT BY NETWRIX AUDITOR

MaxSea TZ: Microsoft SQL Server problems End User

Install SQL Server 2014 Express Edition

User Guide. Version 3.2. Copyright Snow Software AB. All rights reserved.

TAMUS Remote Desktop Setup For BPP SQL & Alva

5.6.3 Lab: Registry Backup and Recovery in Windows XP

Sage ERP Accpac 6.0A. SageCRM 7.0 I Integration Guide

Deposit Direct. Getting Started Guide

Veritas Cluster Server Database Agent for Microsoft SQL Configuration Guide

Kaseya 2. User Guide. Version 7.0. English

National Fire Incident Reporting System (NFIRS 5.0) Configuration Tool User's Guide

Portions of this product were created using LEADTOOLS LEAD Technologies, Inc. ALL RIGHTS RESERVED.

Bulk Downloader. Call Recording: Bulk Downloader

Tracking Network Changes Using Change Audit

Trend Micro TM Worry-Free Business Security Services Integration with LabTech

Setting up an MS SQL Server for IGSS

Migrating MSDE to Microsoft SQL 2008 R2 Express

Easy Setup Guide for the Sony Network Camera

13 Managing Devices. Your computer is an assembly of many components from different manufacturers. LESSON OBJECTIVES

JAMS 6.X Client Features 3. Working with Jobs 4-5. Submitting Jobs Manually 6-7. Working with Setups 8-9. Working with Views 10-14

3 Setting up Databases on a Microsoft SQL 7.0 Server

Moving the Web Security Log Database

Microsoft Access 2010 handout

Vodafone PC SMS (Software version 4.7.1) User Manual

Changing Your Cameleon Server IP

Idera SQL Diagnostic Manager Management Pack Guide for System Center Operations Manager. Install Guide. Idera Inc., Published: April 2013

TROUBLESHOOTING GUIDE

Migrating helpdesk to a new server

Important Notes for WinConnect Server VS Software Installation:

TestElite - Troubleshooting

LabTech Remote Tray. Overview. Accessing the Tray. LabTech

Browser Client 2.0 Admin Guide

Installation and Deployment

JUL / 07 VERSION 3.2

STATISTICA VERSION 11 CONCURRENT NETWORK LICENSE WITH BORROWING INSTALLATION INSTRUCTIONS

Converting InfoPlus.21 Data to a Microsoft SQL Server 2000 Database

Results CRM 2012 User Manual

System Area Management Software Tool Tip: Integrating into NetIQ AppManager

Tunnels and Redirectors

Snow Inventory. Installing and Evaluating

GP REPORTS VIEWER USER GUIDE

Active Directory Software Deployment

Ingenious Testcraft Technical Documentation Installation Guide

Introduction to Google Apps for Business Integration

Table of Contents. CHAPTER 1 About This Guide CHAPTER 2 Introduction CHAPTER 3 Database Backup and Restoration... 15

NETWRIX EVENT LOG MANAGER

Colligo Manager 5.1. User Guide

Crystal Reports Installation Guide

HOW TO SILENTLY INSTALL CLOUD LINK REMOTELY WITHOUT SUPERVISION

VMware Mirage Web Manager Guide

Viewing and Troubleshooting Perfmon Logs

Pro-Watch Software Suite Installation Guide Honeywell Release 4.1

Kaseya 2. User Guide. Version 7.0. English

Exercise Safe Commands and Audit Trail

DEPARTMENT OF EDUCATION. Online Application General Information

K7 Business Lite User Manual

Oracle Sales Offline. 1 Introduction. User Guide

Sage Accpac ERP 5.6A. SageCRM 6.2 I Integration Guide

Transcription:

Event Log Management EVENT LOG MANAGEMENT... 1 Overview... 1 Application Event Logs... 3 Security Event Logs... 3 System Event Logs... 3 Other Event Logs... 4 Windows Update Event Logs... 6 Syslog... 6 Event Log Options... 6 Filtering the Event Logs... 7 Filter by Drop-down... 7 Event Log Configuration... 7 Event Blacklist... 8 Adding an Event Log to the Blacklist... 10 Modifying an Event Log in the Blacklist... 10 Deleting an Event Log from the Blacklist... 10 Viewing Event Log History... 10 Creating Event Log Monitors... 12 Creating a Monitor for an Event Log... 12 Creating a Blacklisted Event Monitor... 12 Event Log Summary Report... 14 Troubleshooting... 14 Event Log Monitors Failing to Alert... 14 Event Logs Causing Agent or Computer to Crash... 14 Overriding the Built-In Event Log Limitations... 14 Event Log Error Codes... 15 Document Revision History... 15 Overview The Logs tab is one of the many tabbed screens that make up the Computer Management screen. The Logs tab contains event log records based on the Windows Event Viewer for the last 24 hours. Event logs record significant events on the agent computer, such as security-related events (e.g., whether a user trying to log on to Windows was successful). The Logs tab is broken down into five sub-tabs, each giving detailed information on a specific type of event log: Application, Security, System, Other and Windows Update. This document will provide you with detailed information on how to access the event logs, blacklisting events and creating tickets and monitors based on events.for information on the other tabbed screens of the Computer Management screen, please refer to those documents. To access the Logs tab: 1. From the Control Center navigation tree, expand Clients > Client > Location and then double-click the agent computer. 2. Click the Logs tab. 3. Click on the appropriate tab for the event logs you want to view. 15.51.155.EventLogManagement.docx 1

Event Log Management NOTE: For detailed message explanations, recommended user actions, and links to additional support and resources, visit the Microsoft Events and Errors Message Center. Figure 1: Logs Application NOTE: The event logs are updated by the agent s inventory schedule and Event Log Mode (inventory only uses schedule, immediately send errors, immediately send all, etc.) defined by its template. To manually update the inventory, select Begin > Commands > Inventory > Resend Events. For more information on Event Log Mode and scheduling, refer to the Agent Templates documentation. Table 1: Log Tab Field Descriptions Field Name Log Name Log Source Log EventID Log Time Generated Description The type of event log (e.g., application, security, system, etc.) and whether it is an informational, warning, or error log. The source of the event. This can be the name of the program, a system component or an individual component of a large program. An event number that identifies the event type. The Event ID can be used to identify what occurred in the system. The date and time the event occurred. 15.51.155.EventLogManagement.docx 2

Log Message The message of the log entry. Failure events will include the full message. Warnings & Error events will include the first 150 characters of the message Info or Success Audit events will contain the first 100 characters of the message Success events for Event IDs 4648, 4647, 4624 and 4634 will include the full message. Additional Fields: These fields are not displayed by default. To add any of these fields, rightclick on the column header and select Field Chooser > the desired field type. Log Times Occurred Event BlackListed Log Event type Displays the number of times this event has occurred in a row. If the event does not occur for 31 days, then the count is reset to 0. This can be altered in the Event Log History field (Dashboard > Config > System > History Retention). A 1 signifies the event has been blacklisted, a 0 signifies it has not. The type of log entry: Information, Warning, or Error. The default Log Name field also provides this information in graphical format. Informational Warning Error TIP: Double-click on any entry in the Logs tab and a prompt will open to perform a search for the Event ID. Click Yes at the prompt to perform a search on EventID.net or No to perform a Google search of the event log message. Click Cancel to close the prompt. Application Event Logs Security Event Logs System Event Logs The application logs contain events logged by programs. For example, file errors. Events that are written to the application log are determined by the developers of the software program. To access the application logs, click on the Application tab from the Logs tab. The security logs record events such as valid and invalid login attempts, as well as events related to resource use. To access the security logs, click on the Security tab from the Logs tab. The system logs contain events logged by Windows system components. For example, if a driver fails to load during startup. Windows predetermines the events that are logged by system components. To access the system event logs, click on the System tab from the Logs tab. 15.51.155.EventLogManagement.docx 3

Event Log Management Other Event Logs The Other tab is to include other event logs that do not appear in the other tabs. For example, Vista+ and other similar OS's now use Crimson Event logs and need to be added in order for them to appear on the Other tab. This allows you to subscribe to events for better management. NOTE: There are several default crimson log channels LabTech will subscribe to automatically if detected: System, Setup, Security, Application, DFS Replication, Directory Service, DNS Server, and AppAssure. Logs with these names in the title will automatically be added to the Other tab. To add the program event logs: 1. From the agent machine, select Start > Control Panel > Administrative Tools and double-click Event Viewer. Depending on the OS, you may have to select System and Security, then Administrative Tools. Figure 2: Event Viewer 2. In the left pane, navigate to the folder that has the logs you want to subscribe to. 3. Select one of the logs and take note of the name (e.g., RMM System). 4. From the agent machine, click the Windows Start button and type regedit in the Search field and press [Enter]. 5. Right-click on the proper registry folder: For a 32bit system: HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\CrimsonEventCha nnels 15.51.155.EventLogManagement.docx 4

For a 64bit system: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\LabTech\Service\Cri msoneventchannels Figure 3: Registry Editor 6. Select New > DWORD (32-Bit) Value. 7. Enter the name of the log you obtained from list of logs for the name of the registry key. 8. Double-click on the new value to open the Edit window. Figure 4: Edit DWORD (32-Bit) Value 9. Ensure the Value Name field has the correct name for the log. 15.51.155.EventLogManagement.docx 5

Event Log Management 10. In the Value data: field, enter 1. 11. Select the Hexadecimal radio button in the Base field. 12. Click OK. 13. Restart the agent on the computer the CrimsonEventChannels key is being created for. There is a LastEventLogWatcher key that monitors the events for the Crimson Event Channels and this only gets created after the CrimsonEventChannel key is created AND the agent is restarted. 14. Resend the events inventory (Begin > Commands > Inventory > Resend Events) or wait until the scheduled time the inventory updates. The desired log files should now be added to the Other tab. Windows Update Event Logs Syslog The Windows Update logs are generated by the Windows Update agent. These logs contain information on OS patches and upgrades. To access the Windows Update logs, click on the Windows Update tab from the Logs tab. Syslog events can be viewed from the Network Probe tab of the probe enabled agent. For more information, refer to the Network Probe documentation. Event Log Options Several options are available from the Logs tab. Refer to the following table for full details. To perform any of these functions, right-click on an event log item and select the appropriate option. Table 2: Event Log Options Name Refresh Logs Description Refreshes the event logs in the list from the database, in the event new logs have been received from the agent. Blacklist Event Add to Blacklist Add Blacklist Critical Add Blacklist High Adds an item to the event blacklist. For a list of all blacklisted events, go to the Event Blacklist tab in Dashboard > Config > Configurations. Events can also be blacklisted from this screen. Flags event as a critical category event and adds the event to the master event blacklist (Dashboard > Config > Configurations > Event Blacklist). Events added to the blacklist will initiate an alert if you are using the event log internal monitors when the event re-occurs. Flags event as a high category event and adds the event to the master Event Blacklist (Dashboard > Config > Configurations > Event Blacklist). Events added to the blacklist will initiate an alert if you are using the event log internal monitors when the event re-occurs. 15.51.155.EventLogManagement.docx 6

Add Blacklist Disk Create Ticket from Event Create Event Monitor Create Event Internal Monitor Flags event as a disk category event and adds the event to the master Event Blacklist (Dashboard > Config > Configurations > Event Blacklist). Events added to the blacklist will initiate an alert if you are using the event log internal monitors when the event re-occurs. Opens a Ticket window populated with the event log information. From this screen, you can assign a technician, set a due date, and add more descriptive information. Creates a system monitor for that particular event. By default, the monitor will check the system every minute. Refer to the Remote Monitors documentation for more information. Creates an internal monitor for that particular event s Log EventID. Refer to the Internal Monitors documentation for more information on internal monitors. NOTE: To view the event logs blacklist, select Dashboard > Config > Configurations > Event Blacklist. Filtering the Event Logs Filters can be used to narrow the results. Filters allow you to query the database for information without needing an in-depth knowledge of the database schema or SQL. 1. Click on the No Filter button. No Filter will be the default setting. Clicking the button will toggle back and forth between No Filter and Filtered. To access the filters, click on the down arrow located to the right of the text. 2. Choose the desired filter (e.g., Log Source). From the menu that displays, select the appropriate operation (Like, Not Like, <=, >=, or =). 3. Enter the criteria associated with the field (e.g., Service Control Manager). 4. Click [Esc] to close the Filter list. If the filter sub-menu is displayed, you will need to click [Esc] twice to close the Filter list. For more information on all the available options (search, filters, options, etc.) from this screen, please refer to the Dataviews documentation. Filter by Drop-down Above each column of the Logs tab there is a drop-down filled with each item of that column. Select an item from the drop-down and select Search. The list will filter to results with that exact name. NOTE: A wild card can be used at the beginning or end or the criteria by inserting % at the beginning of your search criteria, at the end or both. Event Log Configuration Event log history is stored for 31 days by default and critical event log counts are stored for 7 days by default. 15.51.155.EventLogManagement.docx 7

Event Log Management NOTE: The frequency in which agents send event logs to the LabTech server is configured in the agent template. When an agent goes offline, logs created during the down time will be added to the LabTech database the next time the agent checks in. To change the history retention for the event logs: 1. From the Control Center, select Dashboard > Config > System. Figure 5: System Dashboard 2. In the History Retention section, enter the desired time, in days, in the appropriate fields. The Critical Event Log Counts field dictates how long information is stored in the History screen s Critical Event Counts section. Event Blacklist The Event Log History field dictates how long event logs are stored in the Logs tab. The event blacklist is a list of events that have been specified to be monitored by the LabTech system. This is useful when there is a specific event that indicates a potential security risk or critical system failure. To access the event blacklist, from the Control Center, select Dashboard > Config > Configurations > Event Blacklist. 15.51.155.EventLogManagement.docx 8

Figure 6: Event Blacklist Table 3: Event Blacklist Field Descriptions Field Name Logname Source EventID EventType Category Message Description The type of event log (e.g., application, security, system, etc.) The source of the event. This can be the name of the program, a system component or an individual component of a large program. The event number that identifies the event type. The Event ID can be used to identify what occurred in the system. The numerical representation of the type of event. Refer to Table 5: Event Log Comparisons, for the definitions depending on the OS used. The category assigned to the event when it was blacklisted: High, Critical, and Disk. The full message of the log entry. NOTE: Click Refresh List to reflect recent changes in the event blacklist. At the top of the Event Blacklist tab there are several fields, each field corresponds to the respective field in the list. You can use these fields to add or edit information for each event log. 15.51.155.EventLogManagement.docx 9

Event Log Management Adding an Event Log to the Blacklist To add an event log to the event log blacklist: 1. Enter the Event Log s Event ID, Source, Message, Log Name, Event Type, and Category into the respective fields. 2. Click Add. Modifying an Event Log in the Blacklist To modify a service in the event log blacklist: 1. Select an event log from the list of events blacklisted. The information for the event log should automatically populate in the fields at the top of the screen. 2. Make the desired changes and click Save. Deleting an Event Log from the Blacklist To delete an event log: 1. Right-click on event log and select Delete. You will be prompted if you want to delete the event log. 2. Select Yes to delete the event log from the blacklist or No to close the window and cancel the operation. Viewing Event Log History The Event Logs History tab displays event logs older than 24 hours. The amount of history is based on the settings in the Event Log History configuration (Dashboard > Config > System). The default is 31 days. To access the History screen: 1. From the Control Center navigation tree, expands Clients > Client > Location and then double-click the agent computer. 2. From the Computer Management screen, select Show History. 15.51.155.EventLogManagement.docx 10

Figure 7: Computer Management Screen 3. From the History screen, select Event Logs. Figure 8: History Screen From the History screen, you can view the Application Log, System Log, Security Log, Other Logs, and Critical Events Counts. The Critical Events Counts displays events logs for this computer that have been flagged as critical and the frequency in which they occur. The amount of history is 15.51.155.EventLogManagement.docx 11

Event Log Management based on the settings in the Critical Event Log Counts configuration (Dashboard > Config > System). The default is 7 days. Creating Event Log Monitors Monitors can be set up to monitor for a particular event log or to monitor blacklisted events. This can be useful because monitors cannot only generate alerts, but also run scripts to correct issues allowing you to automate solutions to common problems and create reports to optimize solutions for customers. For more information on monitors, refer to the Remote Monitors and Internal Monitors documentation. Creating a Monitor for an Event Log 1. From the Computer Management screen s Log tab, right-click on the event and select Create Event Monitor or Create Event Internal Monitor. 2. You will be prompted to create the event monitor. Click OK to create or Cancel to close this window. To change the monitor from the default alert template, go to the Monitor tab of the Computer Management screen. NOTE: The Create Event Monitor option will create a system monitor using the Default-Do Nothing alert template and will not require any further action. If you want to change the configuration, please refer to the Remote Monitors and Internal Monitors documentation. Creating a Blacklisted Event Monitor Internal monitors can be created to look for any event in the master Event Blacklist (Dashboard > Config > Configurations > Event Blacklist). To create a blacklisted event monitor: 1. From the Control Center, select Monitors. 2. Right-click in the monitor list and select New Monitor. Figure 9: New Internal Monitor 3. Ensure <Start Fresh> is selected in the Available Monitors drop-down and click Next. 15.51.155.EventLogManagement.docx 12

Figure 10: Internal Monitor 4. In the Configuration tab, enter a name for the Monitor in the Monitor Name field. 5. In the Table to Check drop-down, select the eventblacklist table. 6. In the Field to Check drop-down, select the field to check: EventblacklistID: the number of the blacklisted event in the database EventID: the event ID number of the event log. Source: the program or service that created the log. LogName: the name of the log the event log is stored in. EventType: the numerical value of the type of event. Refer to Table 5: Event Log Comparisons. Message: the message describing the event. Category: the category assigned to the event when it was blacklisted. There are several commands to add an event to the events blacklist: Add to Blacklist, Add Blacklist Critical, Add Blacklist High, and Add Blacklist Disk. Each command adds an event to the event blacklist in a different category. Refer to Table 4: Blacklist Command Comparisons to see which category is flagged with which command. If you select the Add to Blacklist command, no category is associated with the event and that field is left blank. 15.51.155.EventLogManagement.docx 13

Event Log Management Table 4: Blacklist Command Comparisons Command Blacklist Blacklist Critical Blacklist High Blacklist Disk Event Blacklist Category n/a Critical High BU For the rest of the configuration options for an internal monitor, refer to the Internal Monitors documentation. Event Log Summary Report The Event Log Summary report lists the ten most common event log entries for each agent computer, as well as all error event log entries for the past 24 hours. For more information, refer to the Event Log Summary Report. Troubleshooting Event Log Monitors Failing to Alert Since Windows Vista, Microsoft has changed to a new system for event logs called crimson event logging. Table 5: Event Log Comparisons Crimson Event Logging Numerical Designation Description 1 Critical or Error 2 Information/Security Audit Success/Security Audit Failure 3 Warning This is important to note when creating event log monitors for machines with different operating systems. For example, if you create a monitor to fail with the event type Security Audit Failure this will work for a Windows XP machine but that same monitor on a Windows 7 machine will show Security Audit Fail as Information and will never fail. The best option, for monitors running on all systems, is to set the Event Type to Anything and use specific event ID filters. Event Logs Causing Agent or Computer to Crash In the agent template, the Event Log Mode can be set to immediately send errors, immediately send errors and warnings, immediately send all, etc. When these settings are configured, the agent will store the event logs in the registry based on the setting. At each check-in, all of these events are sent to the LabTech server during check-in. If the setting is set to immediately send all, then in some cases, the registry will expand fast. This could cause the check-in to crash and in some cases the agent and the computer. If you are experiencing crashes, check your Event Log Mode setting in the agent template and change it to no higher than immediately send errors. Overriding the Built-In Event Log Limitations You can override the built-in event log limitations by creating a blank file named NOEventLimit (no file extension) in the LTSVC folder of each machine that you want to override the limitation. This will release the truncation limit and allow the full 15.51.155.EventLogManagement.docx 14

messages to be transferred and stored. Please note that the current database structure will allow up to 1000 characters, which may not be large enough to store lengthy messages. Additionally, it is important to note that the database size will increase substantially depending on the history length following this change. Event Log Error Codes The following are event log error codes for LabTech: Error Code Agent 5001 Errors Description 5000 All Others DB Agent 2000 All events 2001 Loop Reporting 3000 Plugin Events 3001 Plugin Errors 2001 Mobile 2003 Sync 2004 Licensing 2009 Ticketing 2012 Reports Client 2 Login Event 1 All other events ASP 100 Normal log entry 101 Error Table 6: Error Codes Document Revision History Date Notes 03/01/2012 New 10/27/2012 Added event log error codes Added default event log message lengths Modified Crimson Event Channels information Added additional troubleshooting information 02/05/2013 Added step to Other Event Logs section to restart agent. 03/08/2013 Changed the event log comparison descriptions. 15.51.155.EventLogManagement.docx 15

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information