Event Log Check is a must-have Remote Management Monitoring & Asset Management check for Windows OS, it allows us to get insights into What? When? and How? an event happened in Windows OS.
This article applies to all Remote Management Monitoring & Asset Management customers.
What is Event Viewer and How to work with it?
To learn more about this topic please refer to the articles on Digital Citizen and How-to Geek:
How Event Log checks work?
Remote Management Monitoring & Asset Management Service uses Windows API to monitor the Event Viewer logs. Once every minute the system compares the Event Viewer logs with the event log check requirements from the Remote Management Monitoring & Asset Management policy.
When an event which we need to report is found in the Event Viewer logs, Remote Management Monitoring & Asset Management Service will report it to the TeamViewer (Classic) Management Console and will send an e-mail notification.
How to set Event Log checks?
In order to setup Event Log check, we will need to add the check to the Remote Management Monitoring & Asset Management policy.
💡Hint: You can add multiple Event Log checks in one policy
We are ready to configure the event(s) we want to monitor.
Name: Select a descriptive name for this check.
Event Log to Query: Here we need to select the Windows Event Viewer folder to monitor.
- Application
- Security
- System
Event ID(s): Here we can add a specific Event ID to monitor, multiple event ID’s separated by “,”(comma).
Event Source: Here we paste the exact name of the Event Source which generates the events.
We need to make sure that the Name is the same as listed in Event Viewer Event Details -> System-> Provider -> EventSourceName
📌Note: The system can work without adding any event source, however, we recommend specifying the event source if it is known. In this way, a proper notification will be sent when the desired event is generated by Windows Event Viewer and will filter out spam notifications generated by multiple sources.
💡Hint: If in doubt on what Event Type to choose, we can choose Select All so the system will report based on Event ID and Source, after a few triggered alerts we can filter it down even further.
Notification: Add the Notification e-mail(s). We need to make sure the desired e-mail address is part of the TeamViewer Company profile or is a contact in the user’s account. This is a security setting designed in the system.
Now we can save the policy and from the Manage Endpoints dialogue, we apply it to the computers.
📌Note: If we need to add the policy to a group of computers we need to add it in the group properties (hover over a group -> click on the pen-> select edit) and then set all systems from managed Endpoints dialogue to “Inherit from group”.
After we save the policy and apply it to Computer(s) or group(s) then it will be pushed in a few seconds to the monitored endpoints and the system will start monitoring the Windows Event Viewer.
If an alert is triggered it will be displayed in the Alert list of the Monitoring Page and an e-mail notification will be sent with more detailed information about the Event.