FMLogo-No-WordsArtboard 1Event Monitor

<< Click to Display Table of Contents >>

Navigation:  Technical Guide > Monitoring and Collecting >

FMLogo-No-WordsArtboard 1Event Monitor

Event Monitor looks at the event logs for a specified event, or lack of that event, within a given time period in order to trigger one or more actions.

 

Actions

Events not found (Warning) 5307 - An event matching the Event Filter Criteria was not found within the Scheduled time period.

Events found (Informational) 5306 - An event matching the Event Filter Criteria was found within the Scheduled time period.

Event-Monitor-Actions

 

  Monitor Assignments

Assign any Include or Exclude filters to the monitor item along with any monitoring categories you would like this listed under.

When a new event occurs, it is checked against the Filters assigned to the Event Monitor. If it matches at least 1 Include Filter and no Exclude Filters, then the configured Action will be triggered. If the event does not match an Include Filter, or matches an Exclude Filter, the event will be skipped. This is true for both Service Agents and Virtual Agents. Exclude filters are matched first then passed to include filters.

 

Event-Monitor-Assignments

 

Scheduling

 

Specify the interval at which the monitoring, polling or action is to occur. Depending on the Monitor Item type, Items can be scheduled in interval increments of Seconds, Minutes, Hours and Days. The Scheduled Interval is relative to the top of the hour or top of the minute. For example, if a Scheduled Interval is configured for 10 minutes, the Monitor Item will execute at hh:10:00, hh:20:00, hh:30:00, hh:40:00, hh:50:00, h1:00:00, etc. If a Scheduled Interval is configured for 15 seconds, the Monitor Item will execute at hh:00:15, hh:00:30, hh:00:45, hh:01:00, hh:01:15, etc.

 

 

Exclusion Configuration

 

Specify day(s) of week when you do not what the scheduled item to run.

 

 

Scheduling

 

Naming

 

Enter the name of the item and give it a description.

 

Event Category

This allows you to assign a custom category for the Action event.  This custom category may then be used in filtering and notifying later.

 

Enabled

Use this check box to enable/disable a monitor item.

 

Naming

When using Event Monitors, there are two important issues:

1.On very busy systems that generate many event log records, the Event Monitor may not be able to keep up in real-time. There is a finite amount of data that can be collected and stored in a single monitor item interval. This means that there can be some lag time between when an event is logged to the event log and when it is received by the ELM Server. When collecting events, the Event Monitor bookmarks the last record read so that it knows where to start reading at its next Scheduled Interval.

On very busy systems, especially domain controllers with high levels of auditing enabled, it is possible for the Event Monitor bookmark to roll off the event log before the records can be collected. If this happens, the bookmark is automatically reset at the most recent event. Any events that occurred between the old bookmark that rolled off the log and the new bookmark will not be collected.

To prevent this from happening, we recommend setting the size of your event logs to a large enough value so that they hold at least 24 hours of event data. A large event log size should prevent the loss of a bookmark and allow the Event Monitor to monitor all events.

2.When using multiple Event Monitors or Event Collectors on the same Agent, any one of these Monitor Items can request that event logs be read. The request is initiated only if Scheduled Hours are "on" plus a Scheduled Interval has passed for the individual Monitor Item. Any request will cause the event logs to be read starting from the saved bookmarks, passing new events to all Event Monitors and Event Collectors for the Agent, and then updating the bookmarks. In the case of Event Collectors, they check only their Event Criteria before deciding to process a new event. They do not check their Scheduled Hours. In the case of Event Monitors, they check both their Event Criteria and their Scheduled Hours before deciding to process a new event.

Note: If ELM is running on Windows Server 2003 or Windows XP, and it's deployed a Virtual Agent to a Windows Vista or above version of Windows, the Event Collector will not be able to be assigned to it. The ELM Console will disallow the assignment due to the lack of support in Windows Server 2003 and Windows XP for Vista and newer Event Logs.