Not really, although www.eventid.net might help. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kyle Smith Sent: 08 March 2004 22:45 To: '[EMAIL PROTECTED]' Subject: RE: [SA-list] Eventlog check - some info
Does anyone know of a good site that has information on what Event ID's are recommended to be monitored? Sincerely, Toromont Process Systems Kyle Smith Information Systems Analyst Direct Phone: 403 717 4520 Cell: 403 804 1953 Fax: 403 717 4545 Email: [EMAIL PROTECTED] -----Original Message----- From: Dirk Bulinckx [mailto:[EMAIL PROTECTED] Sent: Saturday, March 06, 2004 2:52 AM To: [EMAIL PROTECTED] Subject: RE: [SA-list] Eventlog check - some info Well while writing the check I was thinking of it and decided that probably this wasn't needed...well I was wrong apparently...it can be usefull....something to add.... Dirk. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Shook Sent: Saturday, March 06, 2004 2:24 AM To: [EMAIL PROTECTED] Subject: RE: [SA-list] Eventlog check - some info That makes sense. Sounds like this could be really usefull. A thought does occur though, for a new "feature": Right now it alarms if the chosen event is seen since the last event seen. What if it alarmed if the chosen event is NOT seen within a given time period since the last event seen. I mention this because our backup software give dozens of error messages, but only one correct "complete" message. It would be easier to alarm if a new event isn't seen within say 24 hours from the last event, than try to write rules for all of the possible error and warning messages. Just a thought. Mike >>> [EMAIL PROTECTED] 03/04/04 03:34PM >>> The more parameters you give the better the query will be and the better you will be able to 'filter' correctly. The "all matched entries" option will give within the return (in case of a down) all entries that match the filter. Dirk. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Shook Sent: Thursday, March 04, 2004 8:58 PM To: [EMAIL PROTECTED] Subject: Re: [SA-list] Eventlog check - some info Well, I can't install WMI on a production machine, so switched to a 2K server. Question 1: Do I have to give all of the listed parameters? Or is there a way I can check for all entries from a source? Question 2: How does the setting "All matching entries" work? (what does it return?) All else seems to work as advertised. Michael Shook Technical Analyst Saddle Creek Corporation 723 Joe Tamplin Industrial Blvd Macon GA 31217 478 742 8740 ext. 105 (work) 478 256 9318 (mobile) 478 742 7917 (fax) [EMAIL PROTECTED] http://www.saddlecrk.com >>> [EMAIL PROTECTED] 03/04/04 02:24PM >>> Some info on how the eventlog check works. First of all it uses WMI. WMI is installed on Win2000/WinXP and Win2003. It is possible to install WMI on NT4 (Win95/Win98) too, but you have to download it from the Microsoft site. Download URL: (can be that they change this in the future!) http://www.microsoft.com/downloads/details.aspx?FamilyID=afe41f46-e213-4 cbf- 9c5b-fbf236e0e875&displaylang=en Then how do we do the check. Using the criteria you give within the interface we query the (remote) system for all entries that match your criteria. We keep the "recordnumber" of the last entry that matches (last meaning the most recent). The entry will give an UP. From the 2nd cycle on, we query the (remote) system for all entries that match your criteria AND that have a recordnumber that is higher then the previously found last record. IF we find matching entries we will internaly update the last recordnumber. While performing a WMI query you can't move the application or make any change to the application, you will get a message box asking if you want to "switch-continue...", that's NOT something that is within Servers Alive, that is a message box generated by the WMI system of the operating system. WMI has NO timeout parameter. This means that the timeout given in SA is NOT used for this check. And that the check can/will take longer. It could take several minutes to complete (worse case scenario) and there is no way around it...that's how WMI works....(well to be honest there is a way around it, but it's an ugly way, it would mean creating a new thread for it and killing the thread if you're over the timeout resulting in...at the end an unstable system). That's about it ... Happy testing and let those "issues" come to me .... Dirk. --- [This E-mail scanned for viruses by Declude Virus] To unsubscribe from a list, send a mail message to [EMAIL PROTECTED] With the following in the body of the message: unsubscribe SAlive --- [This E-mail scanned for viruses by Declude Virus] To unsubscribe from a list, send a mail message to [EMAIL PROTECTED] With the following in the body of the message: unsubscribe SAlive --- [This E-mail scanned for viruses by Declude Virus] To unsubscribe from a list, send a mail message to [EMAIL PROTECTED] With the following in the body of the message: unsubscribe SAlive --- [This E-mail scanned for viruses by Declude Virus] To unsubscribe from a list, send a mail message to [EMAIL PROTECTED] With the following in the body of the message: unsubscribe SAlive --- [This E-mail scanned for viruses by Declude Virus] To unsubscribe from a list, send a mail message to [EMAIL PROTECTED] With the following in the body of the message: unsubscribe SAlive --- [This E-mail scanned for viruses by Declude Virus] To unsubscribe from a list, send a mail message to [EMAIL PROTECTED] With the following in the body of the message: unsubscribe SAlive --- [This E-mail scanned for viruses by Declude Virus] To unsubscribe from a list, send a mail message to [EMAIL PROTECTED] With the following in the body of the message: unsubscribe SAlive
