EVENTMONITOR command - Monitor Windows event logs

<< Click here to display Table of Contents >> Navigation: TCC > Commands:

EVENTMONITOR

Contents

Purpose:

Monitor event logs

Format:

EVENTMONITOR [/C [name]]

EVENTMONITOR [/=] server name /S"source" /T"type" /D"description" n command

server

UNC name of the machine with the log file

name

log name

n	Number of repetitions (or FOREVER)

command

Command to execute when condition is triggered

Usage:

If you don't enter any arguments, EVENTMONITOR will display the events it is currently monitoring.

The command line will be parsed and expanded before EVENTMONITOR is executed, so if you want to pass redirection characters or variables to command you will need to protect them (by enclosing in single back quotes, doubling the %'s, or using command grouping).

If the last argument on the line is a single (, it is interpreted as the beginning of a command group. EVENTMONITOR will append the following lines (in a batch file) or prompt you for more input (at the command line) until it gets a closing ).

You can specify multiple /D, /S, and /T arguments. If you want to monitor multiple events in a log, put them into a single EVENTMONITOR command. EVENTMONITOR creates a separate thread for each EVENTMONITOR command, so if you have multiple commands you will be wasting CPU time, RAM, and risk having command executed simultaneously in different threads.

The monitoring runs asynchronously in a separate thread. When the condition is triggered, the command will be executed immediately. This may cause problems if you try to write to the display or access files while the main TCC thread is also performing I/O. You may need to use START or DETACH in command to avoid conflicts.

EVENTMONITOR creates environment variables when an event is triggered that can be queried by command. The variables are deleted after command is executed.

_eventcomputer

The name of the computer than generated the event

_eventcount

The number of times the condition has been triggered

_eventdesc

The event description

_eventlog

The name of the event log

_eventsource

The name of the source that wrote the event

_eventtype

The event type (see /T below)

Options:

/=	Display the EVENTMONITOR command dialog to help you set the command line options. The /= option can be anywhere on the line; additional options will set the appropriate fields in the command dialog.

/C	If name is specified, remove the monitor for that event. Otherwise, remove all event monitors.

/D	Description for the event to be monitored. Only events with a matching description will set the trigger. The description may contain regular expressions.

/S	Source for the event to be monitored. Only events with a matching source will set the trigger. The source may contain regular expressions.

/T	Type of event to be monitored. Only events with a matching type will set the trigger. The types of events are:

Success

Error

Warning

Information

Audit_Success

Audit_Failure