Event Collector

Top  Previous  Next

Event Collector Monitor Items collect some or all events from the Agent(s) being monitored. Events can be collected based on a combination of include and exclude Filters.  Each Filter has criteria for the following event fields:

Computer Name

Event Log

Username

Event Source

Event ID

Event Category

Event Message

When a new event occurs, it is checked against the Filters assigned to the Event Collector Monitor Item.  If it matches at least 1 Include Filter and no Exclude Filters, then it will be sent to the ELM Server. If the event does not match an Include Filter, or matches an Exclude Filter, the event will be skipped. This is true for both Service Agents and Virtual Agents.

All-EventCollectorProp

When using Event Collectors, there are three important issues:

1.On very busy systems that generate many event log records, the Event Monitor may not be able to keep  up in real-time. There is a finite amount of data that can be collected and stored in a single monitor item interval. This means that there can be some lag time between when an event is logged to the event log and when it is received by the ELM Server. When collecting events, the Event Monitor bookmarks the last record read so that it knows where to start reading at its next Scheduled Interval.

On very busy systems, especially domain controllers with high levels of auditing enabled, it is possible        for the Event Monitor bookmark to roll off the event log before the records can be collected. If this happens, the bookmark is automatically reset at the most recent event. Any events that occurred between the old bookmark that rolled off the log and the new bookmark will not be collected.

To prevent this from happening, we recommend setting the size of your event logs to a large enough value so that they hold at least 24 hours of event data. A large event log size should prevent the loss of a bookmark and allow the Event Monitor to monitor all events.

2.When using multiple Event Monitors or Event Collectors on the same Agent, any one of these Monitor Items can request that event logs be read. The request is initiated only if Scheduled Hours are "on" plus a Scheduled Interval has passed for the individual Monitor Item. Any request will cause the event logs to be read starting from the saved bookmarks, passing new events to all Event Monitors and Event Collectors for the Agent, and then updating the bookmarks. In the case of Event Collectors, they check only their Event Criteria before deciding to process a new event. They do not check their Scheduled Hours. In the case of Event Monitors, they check both their Event Criteria and their Scheduled Hours before deciding to process a new event.

Note: If ELM is running on Windows Server 2003 or Windows XP, and it's deployed a Virtual Agent to a Windows Vista or above version of Windows, the Event Collector will not be able to be assigned to it. The ELM Console will disallow the assignment due to the lack of support in Windows Server 2003 and Windows XP for Vista and newer Event Logs.

Reference Information

Event Collectors do not trigger Actions like the other Monitor Items. For example Ping Monitors results will indicate if an ICMP echo request succeeds, Service Monitors results will indicate if a Windows service is started, etc. An Event Collector's job is to read events, expand the message, and deliver the record to the ELM Server. If it has trouble performing this task, then it or the ELM Server can create one or more of the following events:

Error 5566 - The bookmarked event record is no longer in the log, events are being skipped, and the bookmark reset to the beginning of the log (most recent event).

Error 5700 - The ELM Server had trouble receiving the event.

Error 5701 - The Event Collector had trouble creating or expanding the event into a record that could be delivered to the ELM Server.

Error 5702 - A Service Agent had trouble sending an event to the ELM Server.

Error 5703 - The ELM Server had trouble receiving an event from a Service Agent.

See Also

Event Filter Criteria

Monitory Category

Displays the Monitoring Categories to which the Monitor item is assigned. Click to select or deselect Monitoring Categories. Click New to create or Properties to Edit Monitoring Categories.

Agents

Displays the Agents to which the Monitor item is assigned.  Click to select or deselect individual agents. Click New to deploy an agent or Properties to View/Edit an existing agent.

Schedule

Displays the Scheduled Interval and Scheduled Hours settings which control the frequency for the Monitor Item.

Scheduled Interval tab

Specify the interval at which the monitoring, polling or action is to occur. Depending on the Monitor Item type, Items can be scheduled in interval increments of Seconds, Minutes, Hours and Days. The Scheduled Interval is relative to the top of the hour or top of the minute. For example, if a Scheduled Interval is configured for 10 minutes, the Monitor Item will execute at hh:10:00, hh:20:00, hh:30:00, hh:40:00, hh:50:00, h1:00:00, etc. If a Scheduled Interval is configured for 15 seconds, the Monitor Item will execute at hh:00:15, hh:00:30, hh:00:45, hh:01:00, hh:01:15, etc.

Scheduled Hours tab

Select the days and/or hours this item is active. By default, the schedule is set to ON for all hours and all days. Mouse clicks toggle squares between ON and OFF. Clicking on an individual square will toggle the active schedule for that hour. Clicking on an hour at the top of the grid, or on a day of the week at the left of the grid will toggle the corresponding column or row. Keyboard equivalents are the arrow keys and the space bar.