This is my solution for the deficiencies of both BBNT's msgs and BBwin (broken in central mode) windows event log reporting. Neither effectively work for Vista/2008 to my knowledge.
http://xymonton.trantor.org/doku.php/monitors:winevtmsgs.pl
Reports on Windows Event logs forwarded with SNARE (a free Windows event log forwarder over syslog) http://www.intersectalliance.com/projects/SnareWindows/index.html
Each Windows server needs the appropriate version of Snare installed (Vista/2008 different from older versions of Windows) and configured to forward to central syslog server.
Install on central syslog server. Assumed this is the same as xymon server (need to use bb-hosts 'evt' tag to denote tested hosts). Sample config for using rsyslog documented.
Can also report on cluster nodes and cluster resources (e.g. SQL or Exchange) - in such cases each cluster node forwards all events for all nodes.
Highly configurable alerting on various event log fields by exact string match or regexp. Sample rule:
sample rule:
DCs (Domain Controllers)
host name specified by regexp
ignore System:MRxSMB 8003 messages about Browser service
yellow on System:KDC 26 messages (often Error, but not that
significant)
green on System:NETLOGON (various) messages (often Error) about
deleted/disabled/etc computer accounts
"DCs" => {
"host" => qr/^(dc\d+)/i,
"ignore" => {
"Browser" => {
"src" => "System",
"cat" => "MRxSmb",
"evn" => qr/^(8003)$/,
},
},
"yellow" => {
"KDC" => {
"src" => "System",
"cat" => "KDC",
"evn" => "26",
},
},
"green" => {
"NoCompAcct" => {
"src" => "System",
"cat" => "NETLOGON",
"evn" => qr/^(5719|572[23]|5805)$/,
},
},
},
Any questions, suggestions, problems drop me a line.
David.
-- David Baldwin - IT Unit Australian Sports Commission www.ausport.gov.au Tel 02 62147830 Fax 02 62141830 PO Box 176 Belconnen ACT 2616 david.baldwin at ausport.gov.au Leverrier Street Bruce ACT 2617
Keep up to date with what's happening in Australian sport visit http://www.ausport.gov.au