This article applies to all ITbrain Monitoring & Asset Management customers.

General

Event Log Check is a must have ITbrain Monitoring & Asset Management check for Windows OS, it allows us to get insights into What? When? and How? an event happened in Windows OS.

What is Event Viewer and How to work with it?

To learn more about this topic please refer to to the articles on Digital Citizen and How-to Geek:

How Event Log checks work?

ITbrain Monitoring & Asset Management Service uses Windows API to monitor the Event Viewer logs. Once every minute the system compares the Event Viewer logs with the event log check requirements from the ITbrain Monitoring & Asset Management policy.

When an event which we need to report is found in the Event Viewer logs, ITbrain Monitoring & Asset Management Service will report it to the TeamViewer Management Console and will send an e-mail notification.

How to set Event Log checks?

In order to setup Event Log check, we will need to add the check to the ITbrain Monitoring & Asset Management policy.

Workflow.png

Hint: You can add multiple Event Log checks in one policy

We are ready to configure the event(s) we want to monitor.

Name: Select a descriptive name for this check.

Event Log to Query: Here we need to select the Windows Event Viewer folder to monitor.

  • Application
  • Security
  • System

Event ID(s): Here we can add a specific Event ID to monitor, multiple event ID’s separated by “,”(comma).

Event Source:  Here we paste the exact name of the Event Source which generates the events.

We need to make sure that the Name is the same as listed in Event Viewer Event Details -> System-> Provider -> EventSourceNameEvent Log in event Viewer.PNG

Note: The system can work without adding any event source, however, we recommend specifying the event source if it is known. In this way,  a proper notification will be sent when the desired event is generated by Windows Event Viewer and will filter out spam notifications generated by multiple sources.

Event Type:  Here we choose the Level of the Event we want to be notified when triggered by the Event Viewer.

Event Type Description
Error An event that indicates a significant problem such as loss of data or loss of functionality. For example, if a service fails to load during startup, an Error event is logged.
Warning An event that is not necessarily significant, but may indicate a possible future problem. For example, when disk space is low, a Warning event is logged. If an application can recover from an event without loss of functionality or data, it can generally classify the event as a Warning event.
Information An event that describes the successful operation of an application, driver, or service. For example, when a network driver loads successfully, it may be appropriate to log an Information event. Note that it is generally inappropriate for a desktop application to log an event each time it starts.
Success Audit An event that records an audited security access attempt that is successful. For example, a user's successful attempt to log on to the system is logged as a Success Audit event.
Failure Audit An event that records an audited security access attempt that fails. For example, if a user tries to access a network drive and fails, the attempt is logged as a Failure Audit event.

 

Hint: If in doubt on what Event Type to choose, we can choose Select All so the system will report based on Event ID and Source, after a few triggered alerts we can filter it down even further.

 Notification: Add the Notification e-mail(s). We need to make sure the desired e-mail address is part of the TeamViewer Company profile or is a contact in the user’s account. This is a security setting designed in the system.

 

Now we can save the policy and from the Manage Endpoints dialogue, we apply it to the computers.

Note: If we need to add the policy to a group of computers we need to add it in the group properties (hover over a group -> click on the pen-> select edit) and then set all systems from managed Endpoints dialogue to “Inherit from group”.

 

After we save the policy and apply it to Computer(s) or group(s) then it will be pushed in a few seconds to the monitored endpoints and the system will start monitoring the Windows Event Viewer.

If an alert is triggered it will be displayed in the Alert list of the  Monitoring Page and an e-mail notification will be sent with more detailed information about the Event.

 MCO alert good.png

 

e-mail Alert good one.png

 

Version history
Revision #:
3 of 3
Last update:
‎19 04 2018, 4:53 PM
Updated by:
 
Contributors