EVENTMONITOR

cgunhouse

cgunhouse

Dec 2, 2008
231
2
Canada
I have now moved onto EVENTMONTOR and I am having some problems

For example to monitor the Application event log I used

eventmonitor BC0124XX8920794 Application FOREVER D:\TC\ProcessEvent.btm

where ProcesEvent.btm is:

Code: 
echo Computer: %_eventcomputer
echo Description: %_eventdesc
echo Log: %_eventlog
echo Source: %_eventsource
echo Type: %_eventtype
echo Count: %_eventcount

The problem is most of the time nothing happens when an event is logged, but maybe every one and ten times I get almost what I expect. I would get everything defined in ProcessEvent except for the description, the description always comes back blank.

Any thoughts on why this happens?

Craig
 
cgunhouse said:
I have now moved onto EVENTMONTOR, I just can't get the syntax down. What I think should work doesn't

For example to monitor the Application event log I used

eventmonitor BC0124XX8920794 Application forever echo %%_eventcomputer

I then forced an event on the application event log and got nothing, the count didn't go up either
Click to expand...

Not reproducible here.

Note that both the TCC process running EVENTMONITOR and whatever you use to generate an event (EVENTLOG?) have to have administrator rights. (And the event generator has to have *full* administrator rights; i.e., through "run as administrator".)

You're also not entering the UNC name of the server, though Windows can usually figure that one out.

Did you verify (through the Windows Event Viewer) that the event is actually written to the application event log?
 
Sorry, I changed the original text because it seems that EVENTMONITOR runs but it is hit and miss, where it seems to be more miss than hit.

I do run as an administrator, I use a fully qualified domain name for the server and I verified it against the event viewer.

Craig
 
cgunhouse said:
Sorry, I changed the original text because it seems that EVENTMONITOR runs but it is hit and miss, where it seems to be more miss than hit.

I do run as an administrator, I use a fully qualified domain name for the server and I verified it against the event viewer.
Click to expand...

It would be useful if you had a reproducible failcase.

There's not a lot that can go wrong with EVENTMONITOR. It creates a background thread that wakes up every 5 seconds and looks at the event log. If there are new records (i.e., if there are more records than the last time the thread looked), it reads the event log looking for a match with the requested description / type / source.

We have a number of large corporate customers who use EVENTMONITOR extensively, so I'm fairly sure there aren't any major bugs here.
 
I tried the following

Typed at the command line:

eventmonitor AC0103XX8020111.activedirectory.Corp.prov.ca Application /S"console" FOREVER D:\tc\ProcessEvent.btm

eventmonitor gives:
Application /S"console" (0/FOREVER) D:\tc\ProcessEvent.btm

Typed at the command line:
eventlog /Sconsole /i Test message from the console

Result to TCC based on the contents of ProcessEvent.btm given in previous message:

Computer: AC0103XX8020111
Description:
Log: Application
Source: console
Type: 4
Count: 1

Typed at command line a second time:
eventlog /Sconsole /i Test message from the console

Result to TCC:

Nothing!

Third, fourth and fifth times nothing as well.


AC0103XX8020111 is my desktop and not another computer. It seems to be hit and miss, could it be some to do with the network or active directory?

But one thing that is consistent is that _eventdesc is not being displayed.

I also assumed that if /S, /D and /T were left of the command line it meant use all sources, all descriptions and all types.

Actually after further testing only the first EVENTLOG statment seems to work.

After yet further testing, after an hour or more I sent another eventlog event and it worked and moved the count to 2, but all the other eventlog enters never go reported on. It I sent more eventlog events after the second processed event they are ignored again.

I tried it out on my home computer, and everything seems to work, so maybe it is something to do with Active Directory or something to do with a more secure network with all it's security policies. However, _eventdesc still is empty.

Craig
 
You must log in or register to reply here.
Top Bottom
Back