Table of contents
Q: Is it possible to monitor certain type of records appearing in Windows event logs?
A: Yes, you can set up monitoring of specific events posted to system logs. It is possible to monitor a wide range of events, from system-wide problems to atomic changes to single file, process or another resource.
Let’s create our first Windows event log monitor.
Create an event log monitor with default values
To begin, create a Windows Event Log monitor for system running IPHost Network Monitor (in this example, host name is Localhost). At step 2 of “New Monitor” wizard, uncheck “Start the monitor(s)” checkbox in the lower left corner. The “Main settings” would look like this:
Do not start the monitor yet. Let’s create a custom event source first and make sure our monitor can detect its events.
Create a new event source
We will use PowerShell to create event log records, to test the monitor. Namely, we will create event source “My Script”, as it’s most probably absent in default sources.
Open elevated PowerShell window (“Run as Administrator”) and type the command
New-EventLog -LogName Application -Source "My Script"
If run correctly, the command will print nothing.
Under “Event log filtering settings” click “Select…” to the right of “Sources” field. Note: on busy system scanning for sources may take considerable time). After the sources have been loaded and sorted, begin typing “My Script” in the “Find” field. If everything went well, the required source will appear:
Select it and click “OK”. Click “Save” in the upper right part, to update monitor settings, and start the monitor. In the Tree view its icon should go green, and performance value should be zero:
Test event source
Now that we have created and selected new event source, let’s create a sample event log record. In the same elevated PowerShell window type a command like this:
Write-EventLog -LogName Application -Source "My Script" -EntryType Information -EventID 1 -Message "A test event log."
After monitor is polled, it will show performance value of 1:
If you open “Event viewer” from “Administrative tasks”, you will be able to locate our custom event and see its fields:
For more information on writing event logs, please refer to PowerShell Write-EventLog cmdlet documentation.
Try changing the newly created record parameters and adjust the monitor accordingly. That will give you deeper understanding of how to selectively choose relevant data only.
Adjust to real-life case
Now that you know how to create, find and filter event log records, adjust the monitor to actual data you need to monitor. Event viewer is your friend; when trying to understand what to look for, use the built-in Event viewer filters, to narrow the amount of data you wish to receive.
For example, if you wish to count the amount of successful logon attempts during last 24 hours, one of the stages of monitor configurations can look like this:
Please pay attention that filter parameters use “machine identifiers”, not human-friendly ones; to see those identifiers, open “Details” tab of the selected event in Event viewer.
After you have adjusted the filtering as required, you can proceed to setting state conditions and alerting, to conclude the monitor setup.
Tips and tricks
Add filtering fields one by one. If you do not see expected events, try clearing some filtering fields, to encompass more events of the same type. When in doubt, open Event viewer and study the event details, to adjust your monitor settings.
You can use the mentioned PowerShell cmdlet to create your own events. PowerShell commands can be executed in variety of situations; for example, you can generate custom events on periodic tasks, to post task summary as an event, and your monitor can be set up to trigger an alarm, even if it can’t interact directly with the periodic process you need to monitor.
On busy systems, adjust the reporting window (“Report number of events for the last…” field) to only select relevant data.
In Event viewer, set the upper limit of event logs size; that will reduce system load and resource usage of Windows Event Log monitors.
Related links
