> Services > Windows Event Log Service

Windows Event Log Service

The Windows Event Log service enables you to monitor the Event logs on Windows devices.

Since you can assign multiple instances of the Windows Event Log service to a device, you can give each instance Service Identifier. The Service Identifier will be included in e-mail notifications and on service-related displays, including the Active Issues view and the Status tab when editing a device, this enables you to maintain multiple instances of the Windows Event Log service in an organized fashion.

This service cannot use Self-Healing.

For some sources, the Agent may not be able to retrieve an event description due to:

  • the relevant Windows registry keys do not exist,
  • the relevant Windows registry keys do not contain valid data, or
  • the Event Message Files are corrupted or were not found.

For any of these scenarios, the following message appears: "The description for Event ID ( Event ID Number ) in Source ( Source Name ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer."

The Windows Event Viewer can manage the following types of logs on a computer:

  • Security,
  • Application,
  • System Log,
  • Directory Service Log - only available on devices classed as Server-Windows,
  • File Replication Service Log - only available on devices classed as Server-Windows, and
  • DNS Server Log - only available on devices classed as Server-Windows.

The initial scan of the Windows Event Log service will scan the most recent 100 entries in the Event log.

Service Type

WMI

Instances on a Device

25

Device Class

Laptop - Windows, Server - Windows, and Workstation - Windows

Monitored By

Agent (Windows), Windows probe

Generate a Notification when an Event is detected

When selected, this directs the service to generate notifications whenever events are detected.

Scan Interval

30 minutes

Options to Monitor:

The names of the Windows Event Viewer logs that are to be monitored:

  • Security (Failure, Success)
  • Application (Error, Information, Warning)
  • System (Error, Information, Warning)
  • Directory Service (Error, Information, Warning)
  • File Replication Service (Error, Information, Warning)
  • DNS Server (Error, Information, Warning)

Include List

The event IDs that you would like to monitor. You can specify individual event IDs or a range of comma-separated event IDs.

For example:

100,200,250-400,500-650

This field allows a maximum of 200 characters. Spaces are not allowed.

Exclude List

The event IDs that you would like to exclude from monitoring. You can specify individual event IDs or a range of comma-separated event IDs.

For example:

100,200,250-400,500-650

This field allows a maximum of 200 characters.

Event Source Include Filter

The names of the sources that you would like to monitor.

You must use the CSV format. For a range of Event IDs, you can use a dash (-).

For example:

Userenv,Security,W32Time

Event Source Exclude Filter

The names of the Event Log sources that you would like to exclude from monitoring.

You must use the CSV format. For a range of Event IDs, you can use a dash (-).

For example:

Userenv,Security,W32Time

Event Description Regex Filter

The name of the text string or regular expression you would like to look for in the Description field of the event.

For more information on Regular Expressions, see the topic, Regular Expressions.

Thresholds

The thresholds for the Windows Event Log service are used for monitoring as:

Event Log Module Status This is the status that is sent if you have selected Generate A Notification When An Event is Detected check box on the Service Details tab. The threshold for this module is 0 for normal and 1 for failed and all of the specified criteria under the Service Details tab have been met.
# of Duplicate Events Indicates the number of identical identifiers that can be recorded in the log within the configured scan interval before triggering the transition to a different state. The default for this threshold is 0 for normal and 1 for failed.