Event File Collector
Previous
Next
Event File Collector |
Previous
Next
|
|
Event File Collector Monitor Items collect Event Log Files (.EVT and .EVTX) from the Agents being monitored. The Event File Collector operates at a scheduled interval (the default is every 24 hours). At each interval, the Event File Collector will attempt to talk with the Log service, select the appropriate log files and then copy the specified Event Log Files from the assigned Agents to a defined storage location. The files will be stored by default under the ELM Enterprise Manager installation folder in a sub-directory named EVT Files. This location can be modified on the Behavior tab of the Event File Collector properties. Log SelectionDisplays the Available Logs and Selected Logs the Collector is configured to copy and store. By default, the list of Selected Logs contains an asterisk, so the Monitor will collect all log files possible. Specific logs can replace the asterisk to collect a subset of log files. Use the Add and Remove buttons to move selected logs between the Available Logs and Selected Logs lists. To list logs from another system, click the Choose log source button and enter or select a computer name. If you know the name of a log, you can enter it in the Enter a log name field, and click the Add button. All events may be cleared from the selected logs after collection by checking the box labeled Clear Logs after collection. Note BehaviorThis tab configures where an how to store collected log files. •The Destination Folder controls where to save collected Log files. This can be any existing folder local to the ELM Server. •The setting Minimum Free Space Allowed For Evt File Storage protects free space on the drive hosting the Destination Folder. If the free space on the drive drops below this value, then the ELM Server will stop saving .evt files it receives from an Agent. When this happens, ELM will generate the error event 5595, with a message indicating it's unable to store the event file. •Log Files may be compressed for storage by checking the Compress Evt Files checkbox. A cryptographic hash may be created for collected log files to help verify the log file remains unchanged. Note that both the collected log file and the hash file should be secured from tampering. •Check the box labeled Create MD5 Hash File. ELM includes a tool to help verify hashed files. Right-click on the ELM Server and select Tools | Verify Evt Files to launch the tool. •Enter a file name in the Evt or Gz File field to select a collected event log. You can also click the ellipsis button to browse to a file. •Enter an md5 file name in the .Md5 File field to select a companion hash file. You can also click the ellipsis button to browse to the file. Click the Verify button to test the file. The hash value for a collected file can also be calculated with the Microsoft File Checksum Integrity Verifier tool. Please see Microsoft Knowledge Base article 841290 for more details. Actions •Copy File Success (Informational) 5575 - The selected Event Log file has been successfully copied. •Copy File Error (Error) 5576 - The selected Event Log file has NOT been successfully copied. •Store File Success (Informational) 5577 - The selected Event Log file has been successfully stored. •Store File Error (Error) 5578 - The selected Event Log file has NOT been successfully stored. Additionally, the Event File Collector may create one or more of the following events: •Agent Save File Error (Error) 5316 - The ELM Agent's install directory does not have enough free space. No event log files will be collected until this much space is available. •Store File Warning (Warning) 5594 - A cryptographic hash of the selected Event Log file has NOT been successfully created. •Store File Error (Error) 5595 - The selected Event Log file has NOT been successfully stored because of low disk space. CategoriesDisplays the Monitoring Categories to which the Monitor is assigned. Click to select or deselect Monitoring Categories. Right click to create or edit Monitoring Categories. Test MonitorTest any Monitor Item against any Agent capable of running the Item using the drop-down and Test button on this dialog box. Testing a Monitor Item prior to putting it into production validates that the monitor item is configured properly. To test a monitor item: 1.Select the Agent you wish to test against from the drop-down list. 2.Click the Start Test button. If the test was successful, you will receive a pop-up indicating this and the option to see detailed results of the test. If the test failed, detailed results of the test will automatically open in Notepad. ScheduleDisplays the Scheduled Interval and Scheduled Hours settings which control the frequency for the Monitor Item. Scheduled Interval tabSpecify the interval at which the monitoring, polling or action is to occur. Depending on the Monitor Item type, Items can be scheduled in interval increments of Seconds, Minutes, Hours and Days. The Scheduled Interval is relative to the top of the hour or top of the minute. For example, if a Scheduled Interval is configured for 10 minutes, the Monitor Item will execute at hh:10:00, hh:20:00, hh:30:00, hh:40:00, hh:50:00, h1:00:00, etc. If a Scheduled Interval is configured for 15 seconds, the Monitor Item will execute at hh:00:15, hh:00:30, hh:00:45, hh:01:00, hh:01:15, etc. Scheduled Hours tabSelect the days and/or hours this item is active. By default, the schedule is set to ON for all hours and all days. Mouse clicks toggle squares between ON and OFF. Clicking on an individual square will toggle the active schedule for that hour. Clicking on an hour at the top of the grid, or on a day of the week at the left of the grid will toggle the corresponding column or row. Keyboard equivalents are the arrow keys and the space bar. Properties TabThis read-only tab displays the properties of the selected object and the values for those properties.
|