Didn't forget about this. We just can't find any info on it (yet). In WMI the category is in fact available in 2 "flavours": category (a number) and categorystring (a string) What you see in the eventlog is the categorystring. If a query is done in WMI both are returned. However it looks that if you do a query with the categorystring in the WHERE part that it's not finding anything. Using the category instead works perfectly. First question is ofcourse why? And what's the "link" between category and categorystring. (with that we could transfor the categorystring to the category number OR if there is a full we could just show a dropdown) But until now we haven't found any answers to these questions.
Dirk. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dirk Bulinckx Sent: Tuesday, June 22, 2004 7:46 PM To: [EMAIL PROTECTED] Subject: RE: [SA-list] Event log monitoring We're looking at this, seems to be an issue with the CATEGORY in a query. Dirk. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Preou Sent: Tuesday, June 22, 2004 9:57 AM To: [EMAIL PROTECTED] Subject: RE: [SA-list] Event log monitoring Correction :- It goes UP if I clear the event log It goes DOWN if there are *any* logon/logoff entries that match the query (even if it is for a different user), and it stays down. So there appear to be two problems :- 1. It isn't looking at the user name (perhaps I entered it wrong ?) 2. It doesn't come back UP, even when there are no new event log entries -- Jeff Preou Hamilton, New Zealand -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Preou Sent: Tuesday, 22 June 2004 7:51 p.m. To: [EMAIL PROTECTED] Subject: RE: [SA-list] Event log monitoring At the moment it is going DOWN and UP on each alternate cycle, despite the fact that I have cleared the Security event log and the remote user hasn't logged on (or off) [ie there are no entries for this user]. It doesn't appear to be checking the username. -- Jeff Preou Hamilton, New Zealand -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dirk Bulinckx Sent: Tuesday, 22 June 2004 7:46 p.m. To: [EMAIL PROTECTED] Subject: RE: [SA-list] Event log monitoring It should only give the "down" for each of the occurences of the Logon. If the next check doesn't get a new entry that has a logon it will show an UP. You can't configure it to "clear" a down by a logoff instead of a logon. Dirk. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Preou Sent: Tuesday, June 22, 2004 9:37 AM To: [EMAIL PROTECTED] Subject: [SA-list] Event log monitoring Hi, I'm new to Servers Alive and just downloaded and installed the latest version today. We're evaluating it to see whether we can offer it to our customers that would like a cheap but effective monitoring solution, the idea being that *we* get notified and can then offer assistance as necessary. Hence there might be quite a few requests for help to this list while I discover what we can and cannot do with Servers Alive. And here's the first :- I'm using the EventLog addon to check to see when a particular remote user logs on and then logs off from a Terminal Server. I have one Eventlog check configured with :- ======================================================================== ==== Give a down when "at least one" new eventlog entry matches the below query: Hostname: SERVER Logfile: Security Source: Security Categaory: Logon/Logoff Event ID: 540 User: DOMAIN\username Type: Success Audit Description: Successful Network Logon Return: Number of matching entries Timeout: 5 seconds ======================================================================== ==== I have another event corresponding to the logoff The query correctly returns a DOWN status as this remote user has already logged on (and off). However, it stays in a down status. I get an email notification when it changes to down, and if I change the email notification to 'every 1 times' then I get notified every time, even though there has been no change to the event log. My question is this : how do I set up a query so that I simply get emailed when these events occur rather than every time it is down, if you see what I mean ? Secondly, is it possible to have one event (the logoff) cause the first event (logon) to change from DOWN to UP ? Basically, I'm trying to get notified of this particular users logon/logoffs. Any help would be appreciated. Cheers, -- Jeff Preou Hamilton, New Zealand ######################################################## This message has been scanned for Content and cleared by MailMarshal. www.mailmarshal.com This message has been scanned for Viruses and cleared by Symantec AntiVirus. www.symantec.com ######################################################## -------------- [This E-mail scanned for viruses by Declude Virus] To unsubscribe from a list, send a mail message to [EMAIL PROTECTED] With the following in the body of the message: unsubscribe SAlive -------------- [This E-mail scanned for viruses by Declude Virus] To unsubscribe from a list, send a mail message to [EMAIL PROTECTED] With the following in the body of the message: unsubscribe SAlive ######################################################## This message has been scanned for Content and cleared by MailMarshal. www.mailmarshal.com This message has been scanned for Viruses and cleared by Symantec AntiVirus. www.symantec.com ######################################################## -------------- [This E-mail scanned for viruses by Declude Virus] To unsubscribe from a list, send a mail message to [EMAIL PROTECTED] With the following in the body of the message: unsubscribe SAlive ######################################################## This message has been scanned for Content and cleared by MailMarshal. www.mailmarshal.com This message has been scanned for Viruses and cleared by Symantec AntiVirus. www.symantec.com ######################################################## -------------- [This E-mail scanned for viruses by Declude Virus] To unsubscribe from a list, send a mail message to [EMAIL PROTECTED] With the following in the body of the message: unsubscribe SAlive -------------- [This E-mail scanned for viruses by Declude Virus] To unsubscribe from a list, send a mail message to [EMAIL PROTECTED] With the following in the body of the message: unsubscribe SAlive -------------- [This E-mail scanned for viruses by Declude Virus] To unsubscribe from a list, send a mail message to [EMAIL PROTECTED] With the following in the body of the message: unsubscribe SAlive