Skip to main content

Remote Event Log Monitor - Create

Summary

This Automate Script will create a state-based event log monitor on the specifically requested group. By default, it will set these monitors to the "Default - Do Nothing" alert template, which needs to be modified to fit your desired result after creation.

PowerShell-related issues are addressed in the WARNING state. It is suggested to use the CWM - Automate - Script - Ticket Creation - Computer script for ERROR state alerting, as the remote monitor truncates the message while creating a default ticket using the alert template.

Note: You must review the properties of the event log to determine the name.

Event Log Monitor

Requirements

This script will create the remote monitor on a group with the default settings being:

  1. Do nothing
  2. No error actions
  3. No alert actions

If you desire a different end result, the monitor will need to be modified manually.

Sample Run

Intended Target: Any Computer (offline Computer Script)

The following parameters will configure a remote monitor on group ID 1675, restricted to search ID 75:

  • Monitor Name: Application - Event 7040 - Level Informational
  • Monitor Schedule: Every 84000 seconds

The aforementioned monitor will be designed to scan for Informational events from the Application log, which contain an event ID of 7040, the message within the event log containing the phrase "The Start Type of," and generated over the last 86400 seconds.

Monitor Configuration

The following parameters will be utilized to configure a remote monitor on group ID 1675, restricted to search ID 75:

  • Monitor Name: Application - Event 7040,7041 - Provider Service Control Manager
  • Monitor Schedule: Every 300 seconds

The aforementioned monitor will be designed to scan for all events from the Application log, which contain an event ID of 7040 or 7041, with the provider name of 'Service Control Manager,' and have generated at least three times over the last 300 seconds (Monitor's interval).

Event Monitor

Dependencies

Variables

NameDescription
GroupID_SearchIDHolds parsed GroupID and SearchID from the user parameters
GroupIDHolds the Group ID you specified
SearchIDHolds the Search ID you specified
CheckActionHolds the check action to be taken on the remote monitor (File)
AlertActionHolds the alert action to be taken on the remote monitor (Default is Default Do Nothing)
ProjectNameGet-RecentEventLog
WorkingDirectoryC://ProgramData//_automation//script//Get-RecentEventLog
PS1PathC://ProgramData//_automation//script//Get-RecentEventLog//Get-RecentEventLog.ps1
AdditionalParamsAdditional Parameters provided from the user parameters
IntervalRun time interval of the monitor set in seconds
LogNameSwitchConverts the desired LogName to a formatted LogName switch for the agnostic script
EventIDSwitchConverts the desired event ID to a formatted event ID switch for the agnostic script
ProviderSwitchConverts the desired ProviderName to a formatted provider name switch for the agnostic script
MessageMessage passed in the additional params user parameter with SQL-compatible modifications
MessageSwitchConverts the desired message to a formatted Message switch for the agnostic script
LevelSwitchConverts the desired Level to a formatted Level switch for the agnostic script
SecondsSwitchConverts the desired Seconds to a formatted Seconds switch for the agnostic script
AdditionalParametersFormatted Additional Parameters provided from the user parameters
GUIDGUID for the remote monitor
ComparisonStringFormatted conditions to be used within the remote monitor for NORMAL, WARNING, and FAILED states
ExecuteStringCommand to be used within the remote monitor

User Parameters

NameExampleRequiredDescription
LogNameApplicationTrueThe event log sub-container you wish to query.
EventID7040TrueThe event ID you wish to query for in the log selected.
GroupID_SearchID1675_75TrueThe ID of the group you wish to create the monitor upon, and the search ID to limit it.
Interval3600FalseInterval to run the monitor set. Leaving it blank or setting it lower than 60 will default it to 60.
AdditionalParamsseconds=86400Level=InformationalMessage=The start type of

Note: Do not enclose the parameters in quotations.

Output

  • Script log
  • Remote Monitor

Sample Remote Monitors

Multiple Monitors:

Multiple Monitors

Configuration Tab:

Configuration Tab

Example Warning:

Example Warning

Example Failed:

Example Failed

Example Success:

Example Success

Alerting Tab:

Alerting Tab

Example %RESULT%

ProviderName: Service Control Manager
TimeCreated                            Id LevelDisplayName Message
-----------                            -- ---------------- -------
4/18/2023 9:53:50 AM               7040 Information      The start type of the Background Intelligent Transfer Service s...
4/18/2023 9:44:28 AM               7040 Information      The start type of the Background Intelligent Transfer Service s...
4/18/2023 9:40:19 AM               7040 Information      The start type of the Background Intelligent Transfer Service s...
4/18/2023 9:37:56 AM               7040 Information      The start type of the Background Intelligent Transfer Service s...
4/18/2023 9:35:50 AM               7040 Information      The start type of the Background Intelligent Transfer Service s...
4/18/2023 9:23:01 AM               7040 Information      The start type of the Background Intelligent Transfer Service s...
4/18/2023 9:18:12 AM               7040 Information      The start type of the Background Intelligent Transfer Service s...
4/18/2023 9:06:48 AM               7040 Information      The start type of the Background Intelligent Transfer Service s...
4/18/2023 9:01:58 AM               7040 Information      The start type of the Background Intelligent Transfer Service s...