Macros/variables in WMI Test Query ?

[AlexL]

I have a WMI Query of the form:

Code: Select all

SELECT * FROM Win32_NTLogEvent WHERE LogFile = 'application' AND EventCode = 9827 AND TimeGenerated > '20100718000000.000000-000'

I would need to generate dynamicaly the value "20100718000000.000000-000", which is a date. Is something like that possible?

TIA

Alex

[KS-Soft]

There is no such option but there is specialized NT Event Log test method that checks all new events. You may setup this test to check for all new events with EventID=9827
http://www.ks-soft.net/hostmon.eng/mfra ... m#chkNTLog

Regards
Alex

[AlexL]

Yes, this is the first thing I tried, but it didn't work. Either I configured the test incorrectly, or the NT Event Log test in my version of HostMonitor (7.22) doesn't support the Win 2008 event logs.

Alex

[KS-Soft]

Version 7.22 is pretty old, it cannot check Vista specific event logs. However it should work with Application log just fine.

Could you please explain what exactly means "didn't work"? What test status did you see?
Status always "Ok" while there is new "bad" event in the log? or HostMonitor set "Unknown" status and displayed some error description in Reply field of the test?

Regards
Alex

[AlexL]

I try to check if the nightly backup on the Exchange 2010 worked. It finishes somewhere between 02:00 and 06:00 in the morning. If it was successful, two new events 9827 (two databases are backed up) are written to the Application eventlog, a few hours before the ScheduleTime (06:30:00)

Here is the test (a few lines omitted):

Code: Select all

Method      = NTLog
;--- Common properties ---
Title       = Exchange #1 Daily Backup
ScheduleMode= OneTestPerDay
ScheduleTime= 06:30:00
Alerts      = Message, Sound
ReverseAlert= Yes                    <<<<-----  !!!!!!
UnknownIsBad= No
WarningIsBad= No
UseCommonLog= Yes
PrivLogMode = Default
CommLogMode = Default
;--- Test specific properties ---
Computer    = \\srk-exchange
Log         = Application
Source      = 
ReportMode  = AllEvents
TestOkMode  = IfNoBadEvent
BadFilter   = 1
CheckComp   = Any
CheckType   = Any
CheckID     = AnyFromList
CheckDescr  = Any
CompList    = 
IDList      = ^M9827^M
DescrList   = 

[/size]
Result:
=====
Status: Ok (please note thet the alert is reversed!)
Recurrences: 2 [there should be 2 events 9827]
Reply: Message not found. Insertion strings:8595de13-31b4-4213-972b-907c2f2eeac2:6, Mailbox Database customers

What bothers me is the reply text: I am not sure if it doesn't contradict the Ok status, and I am not sure, therefore, how to interpret the result.

I must also confess that I am unsure if I correctly understand how to configure the NT Event Log test.

TIA

Alex

[KS-Soft]

Well, this means test works and HostMonitor is able to detect event on target system. The only problem - HostMonitor cannot retrieve event description (text description).
Please check FAQ for details:
http://www.ks-soft.net/cgi-bin/phpBB/vi ... hp?p=20994

BTW newer versions of HostMonitor may use 2 different technics to retrieve event description. So probably you just need to update software.

Regards
Alex

[AlexL]

I copied the message dll from the target server to the ...\EventLogDlls directory and created the registry key - with the path value pointing to this new location. Should I reboot the machine with AHM?

Now I wait for tomorrow morning, when the test will run again.

Meanwhile: would the suggestion about allowing macros/variables in the WMI Test Query fit the general concept of AHM?

BTW newer versions of HostMonitor may use 2 different technics to retrieve event description. So probably you just need to update software.

My boss is not yet sure if we will keep AHM, or change to something else . We have tried Microsoft's System Center Operations Manager, but I was not satisfied - too complex for us and not flexible enough. Definitive decision - this Fall.

Alex

[KS-Soft]

Should I reboot the machine with AHM?

Its not necessary.

Meanwhile: would the suggestion about allowing macros/variables in the WMI Test Query fit the general concept of AHM?

Usually if you need some non-standard query, you may use Shell Script test method to execute WMI query or several queries and process results. This test method supports date/time variables.

Regards
Alex

[AlexL]

This morning, the test returned the "Bad" status, which was correct, because the backup didn't run for some reason. I've corrected the problem and will wait until tomorrow morning.

Regarding Shell Script as an escape solution - yes, I was already experimenting with WMIC in a batch file; however, a predefined, off the shelf solution is prefferable.

Kind regards,
Alex

[AlexL]

Now the test returned Bad, although the expected event - 9827 -was there. However, I'll wait for another day or two before being certain that the test runs correctly or not.

Alex

[KS-Soft]

Regarding Shell Script as an escape solution - yes, I was already experimenting with WMIC in a batch file; however, a predefined, off the shelf solution is prefferable

Ok, I have added this item as low priority task.

Now the test returned Bad, although the expected event - 9827 -was there. However, I'll wait for another day or two before being certain that the test runs correctly or not

Do you still have "Reverse alert" option enabled?

Regards
Alex

[AlexL]

Ok, I have added this item as low priority task.

Thank you, Alex.

Now the test returned Bad, although the expected event - 9827 -was there. However, I'll wait for another day or two before being certain that the test runs correctly or not

Do you still have "Reverse alert" option enabled?

Yes, I do, and I did.

In the last two days the test returned "Ok" and the correct Result. I believe it is OK now. Last time I've started the test manually, before the scheduled time - maybe this has somehow distorted the result.

Thanks again, Alex

Alex

[KS-Soft]

You are using OneTestPerDay mode (at 06:00).
If (for example) you forced test execution on 05:00 July 25 then HostMonitor will not peform this test automatically later on July 25. Test will be performed automatically on next day.

Regards
Alex