How can I monitor Windows Event Viewer?

You can use the FKM plug-in to monitor the Windows Event Viewer for keywords.

Here is a sample XML for your reference:

<sampler name="FKM event log">

<plugin>

<fkm>

<files>

<file>

<source>

<ntEventLog>Security</ntEventLog>

</source>

<tables>

<table>

<severity>fail</severity>

<keyTable>

<data>

<keys>

<key>

<setKey>

<match>

<searchString>

<data>An account was logged off</data>

</searchString>

</match>

</setKey>

</key>

<key>

<setKey>

<match>

<searchString>

<data>An account was successfully logged on</data>

</searchString>

</match>

</setKey>

</key>

</keys>

</data>

</keyTable>

</table>

</tables>

</file>

</files>

</fkm>

</plugin>

</sampler>

If you are using Gateway 2, and your NetProbe version is GA2011.2.1-111122, GA2011.2.2-111122 or later, it has the capability to monitor other fields in the Windows Event Viewer (namely: Source, EventID, Level, User, OpCode, Category and Computer fields).

The NetProbe should publish the XML schema back to the gateway.

You should see an option under the FKM plugin Advanced tab. You need to enable the setting called "Extended NT event log output" at the sampler (screen capture attached).

After that, the FKM plugin will display the additional fields as part of the message with a colon (:), and you can use this as the match key (e.g. EventID:4648).

*The ntEventLogname can be customized, and not only limited to those 3 choices from the drop down box.

Articles in this section

How can I monitor Windows Event Viewer?

Comments

Articles in this section

Related articles