Discussion:
What is the zWinEventlogClause property?
Oscar Segarra
2012-02-16 09:07:41 UTC
Permalink
Oscar Segarra [http://community.zenoss.org/people/Oscar] created the discussion

"Re: What is the zWinEventlogClause property?"

To view the discussion, visit: http://community.zenoss.org/message/64547#64547

--------------------------------------------------------------
Hi.

There are three parameters that affect windows Eventlog monitoring feature:

zWinEventLog: true/false
zWinEventLogClause: +I will explain it below+
zWinEventLogMinSecurity: <<look at http://community.zenoss.org/thread/4896?start=0&tstart=0 http://community.zenoss.org/thread/4896?start=0&tstart=0>>
#

Internally Zenoss executes the following WMI query when zWinEventlog is set to "true":

SELECT * FROM __InstanceCreationEvent
WHERE TargetInstance ISA 'Win32_NTLogEvent'
AND TargetInstance.EventType <= +zWinEventLogMinSecurity+
AND +zWinEventLogClause+



  

Win32_NTLogEvent is defined as follows ( http://msdn.microsoft.com/en-us/library/windows/desktop/aa394226(v=vs.85).aspx http://msdn.microsoft.com/en-us/library/windows/desktop/aa394226(v=vs.85).aspx):

class Win32_NTLogEvent
{
  uint16   Category;
  string   CategoryString;
  string   ComputerName;
  uint8    Data[];
  uint16   EventCode;
  uint32   EventIdentifier;
  uint8    EventType;
  string   InsertionStrings[];
  string   Logfile;
  string   Message;
  uint32   RecordNumber;
  string   SourceName;
  datetime TimeGenerated;
  datetime TimeWritten;
  string   Type;
  string   User;
};

You can use any of the previous fields.

If we wish to detect/monitor events having event_id 1111 or 3364 at eventlog, we must set zWinEventLogClause parameter to (TargetInstance.EventIdentifier=1111 OR TargetInstance.EventIdentifier=3364).

System will execute the following working query:

SELECT * FROM __InstanceCreationEvent
WHERE TargetInstance ISA 'Win32_NTLogEvent'
AND TargetInstance.EventType <= +2+
AND (TargetInstance.EventIdentifier=1111 OR TargetInstance.EventIdentifier=3364);


I hope this helps.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/64547#64547]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
rklingaman
2012-02-16 23:20:11 UTC
Permalink
rklingaman [http://community.zenoss.org/people/rklingaman] created the discussion

"Re: What is the zWinEventlogClause property?"

To view the discussion, visit: http://community.zenoss.org/message/64554#64554

--------------------------------------------------------------
Great information and working good although Im running into the following bug explained in this microsoft article:

http://support.microsoft.com/default.aspx?scid=kb;en-us;2404366&sd=rss&spid=3198 http://support.microsoft.com/default.aspx?scid=kb;en-us;2404366&sd=rss&spid=3198

This happens when I use TargetInstance.EventIdentifier=1111 OR TargetInstance.EventIdentifier=3364. If I use just one EventIdentifier it works fine.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/64554#64554]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Oscar Segarra
2012-02-17 12:08:25 UTC
Permalink
Oscar Segarra [http://community.zenoss.org/people/Oscar] created the discussion

"Re: What is the zWinEventlogClause property?"

To view the discussion, visit: http://community.zenoss.org/message/64568#64568

--------------------------------------------------------------
Hi,

As you have said... this is a "windows problem" and it is out of the zenoss scope.


May be cleaning some old events at windows event log can help to reduce memory consumption.

Oscar.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/64568#64568]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Oscar Segarra
2012-08-03 12:20:02 UTC
Permalink
Oscar Segarra [http://community.zenoss.org/people/Oscar] created the discussion

"Re: What is the zWinEventlogClause property?"

To view the discussion, visit: http://community.zenoss.org/message/67663#67663

--------------------------------------------------------------
Hi,

I think question has been answered, can you mark it as answered ?

Please contact me if you need further assistance

Thanks a lot!!
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/67663#67663]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Loading...