My test is:
At the time of running the test if the text exists "****** Process started at:" in the "Application" event log then this is
a GOOD event.
However if at the time of running the test the text does NOT exist "****** Process started at:" in the "Application" event log then this is
a BAD event.
Problem:
Even when the expected text exists in the NT Event Log I am receiving an alert of a Bad event.
My Event Log test properties are:
"Bad" event must satisfy the following requirements:
Computer: Any
Event Type: Information
Event ID: Any
Description Contains: Nothing from the list
List Items:
******* Process started at:
(Yes, the asterisks are part of the text in the Event Log entry)
set "OK" status when new "good" event detected
Report about all events
"Good" event must satisfy the following requirements:
Computer: Any
Event Type: Information
Event ID: Any
Description Contains: All strings from the list
List Items: Process started at:
My Action Properties are;
(Only "Bad" status actions are set)
Send email when 1 consecutive "Bad" result occurs.
Repeat 1 time(s)
My test exported as text:
; ------- Test #01 -------
Method = NTLog
;--- Common properties ---
Title = NTLog: Some test in our HostMonitor
Comment = This test alerts if no process start logged to the Windows event log "Application".
RelatedURL =
ScheduleMode= Regular
Schedule = Some test schedule in our HostMonitor
Interval = 900
Alerts = AnActionProfile(BS1R1)
ReverseAlert= No
UnknownIsBad= Yes
WarningIsBad= Yes
UseCommonLog= Yes
PrivLogMode = Default
CommLogMode = Default
SyncCounters= Yes
SyncAlerts = No
DependsOn = list
MasterTest-Alive = Some Server - Ping
;--- Test specific properties ---
Computer = \\ServerName
Log = Application
Source = TCAProcessNameProcess
ReportMode = AllEvents
TestOkMode = IfGoodEvent
BadFilter = 1
CheckComp = Any
CheckType = AnyFromList
CheckID = Any
CheckDescr = AnyExceptList
CompList =
TypeList = Information
IDList =
DescrList = ^MProcess started at:^M
GoodFilter = 1
CheckComp = Any
CheckType = AnyFromList
CheckID = Any
CheckDescr = AllFromList
CompList =
TypeList = Information
IDList =
DescrList = ^MProcess started at:^M
;-----------------------------------------------------------------------------
Is there something I shold be doing differently, please?
NT Event Log test to alert when expected text not existing
-
ironcurtain
- Posts: 34
- Joined: Mon Apr 28, 2008 10:15 am
Looks like you do not understand how this test works.
NT Event Log test checks for ALL NEW events in the log. So, if you have 10 new events in the log and SOME of them fits the filter, test status will be changed to bad.
In your case - if there 10 new events in the log, 1 or 5 or 9 (not 10!) of these events contains specified string "******* Process started at: " but at least one event does not contan string, test status will be changed to Bad.
I think you should modify test settings a little (remove good filter, change "AnyExceptList " to "AnyFromList" and mark "Reverse alert" option)
Method = NTLog
;--- Common properties ---
;DestFolder = Root\
Title = NTLog: Some test in our HostMonitor
Comment = This test alerts if no process start logged to the Windows event log "Application".
RelatedURL =
ScheduleMode= Regular
ScheduleMode= Regular
Schedule = Some test schedule in our HostMonitor
Interval = 900
Alerts = AnActionProfile(BS1R1)
ReverseAlert= Yes
UnknownIsBad= Yes
WarningIsBad= Yes
UseCommonLog= Yes
PrivLogMode = Default
CommLogMode = Default
SyncCounters= Yes
SyncAlerts = No
DependsOn = list
MasterTest-Alive = Some Server - Ping
;--- Test specific properties ---
Computer = \\ServerName
Log = Application
Source = TCAProcessNameProcess
ReportMode = AllEvents
TestOkMode = IfNoBadEvent
BadFilter = 1
CheckComp = Any
CheckType = AnyFromList
CheckID = Any
CheckDescr = AnyFromList
CompList =
TypeList = Information
IDList =
DescrList = ^MProcess started at:^M
Regards
Alex
NT Event Log test checks for ALL NEW events in the log. So, if you have 10 new events in the log and SOME of them fits the filter, test status will be changed to bad.
In your case - if there 10 new events in the log, 1 or 5 or 9 (not 10!) of these events contains specified string "******* Process started at: " but at least one event does not contan string, test status will be changed to Bad.
I think you should modify test settings a little (remove good filter, change "AnyExceptList " to "AnyFromList" and mark "Reverse alert" option)
Method = NTLog
;--- Common properties ---
;DestFolder = Root\
Title = NTLog: Some test in our HostMonitor
Comment = This test alerts if no process start logged to the Windows event log "Application".
RelatedURL =
ScheduleMode= Regular
ScheduleMode= Regular
Schedule = Some test schedule in our HostMonitor
Interval = 900
Alerts = AnActionProfile(BS1R1)
ReverseAlert= Yes
UnknownIsBad= Yes
WarningIsBad= Yes
UseCommonLog= Yes
PrivLogMode = Default
CommLogMode = Default
SyncCounters= Yes
SyncAlerts = No
DependsOn = list
MasterTest-Alive = Some Server - Ping
;--- Test specific properties ---
Computer = \\ServerName
Log = Application
Source = TCAProcessNameProcess
ReportMode = AllEvents
TestOkMode = IfNoBadEvent
BadFilter = 1
CheckComp = Any
CheckType = AnyFromList
CheckID = Any
CheckDescr = AnyFromList
CompList =
TypeList = Information
IDList =
DescrList = ^MProcess started at:^M
Regards
Alex
-
ironcurtain
- Posts: 34
- Joined: Mon Apr 28, 2008 10:15 am