Jump to content


Photo

Event Log Notifications


  • Please log in to reply
8 replies to this topic

#1 fraew

fraew

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 13 December 2010 - 05:49 PM

Firstly, thanks for this brilliant product Zak - I must have reviewed 50 similar-focus applications before i came across TNM.

What i'm interested in is a way to present information from event logs - currently I have a monitor in place to notify me of any new error level system or application logs, or 3 or more failure audits. However the information sent via email is a little pointless. Is there any way to send the content of the event log? Do you plan on expanding this kind of functionality in future releases / allow for more advanced log filtering, grouping or even suppression?

#2 Zak

Zak

    Administrator

  • Root Admin
  • PipPipPip
  • 747 posts
  • Gender:Male

Posted 14 December 2010 - 06:19 AM

You're right, currently notifications are generic, that is not specific to a particular probe type. So now it's not possible to send the content of the event log, or the actual value of the registry key that triggered the registry probe, etc. We plan to continue working on TNM and make improvements, but currently the term is undefined.
Softinventive Lab support

#3 fraew

fraew

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 15 December 2010 - 01:11 AM

You're right, currently notifications are generic, that is not specific to a particular probe type. So now it's not possible to send the content of the event log, or the actual value of the registry key that triggered the registry probe, etc. We plan to continue working on TNM and make improvements, but currently the term is undefined.

I've been toying with a couple of scripts to replace the action, using the SysInternals application PSLogList to output a days worth of Event logs to text output, then a vbscript to email the resulting txt file to my monitor email. Just got to get the vbscript right at the moment but i'm pretty confident i can produce the desired result.

#4 fraew

fraew

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 15 December 2010 - 01:04 PM

So I created a BAT file that gets called as an application action if there are any new security alerts in the last hour:

db02-security.bat
delete c:\logs\db02-security.txt
C:\PSTools\psloglist.exe -d 1 -f f -c security > c:\logs\db02-security.txt

I then call a vbscript action which sends an email from my local SMTP server, uses authentication, and attaches the new security log as an attachment:

SMTP email with authentication / attachment
function Main
Const cdoSendUsingPickup = 1
Const cdoSendUsingPort = 2

Const cdoBasic = 1 

Set objMessage = CreateObject("CDO.Message") 
objMessage.Subject = "Security Log DB02" 
objMessage.From = """Monitor"" <monitor@myemail.com>" 
objMessage.To = "me@myemail.com" 
objMessage.TextBody = "New Security Event Log from " &_
"DB02 (see attachment)"


objMessage.Configuration.Fields.Item _ 
("http://schemas.microsoft.com/cdo/configuration/" &_ 
"sendusing") = 2 
objMessage.Configuration.Fields.Item _ 
("http://schemas.microsoft.com/cdo/configuration/" &_ 
"smtpserver") = "SMTPSERVER-IPADDRESS"
objMessage.Configuration.Fields.Item _ 
("http://schemas.microsoft.com/cdo/configuration/" &_ 
"smtpauthenticate") = cdoBasic
objMessage.Configuration.Fields.Item _ 
("http://schemas.microsoft.com/cdo/configuration/" &_ 
"sendusername") = "SMTPUSERNAME"
objMessage.Configuration.Fields.Item _ 
("http://schemas.microsoft.com/cdo/configuration/" &_ 
"sendpassword") = "SMTPPASSWORD"
objMessage.Configuration.Fields.Item _ 
("http://schemas.microsoft.com/cdo/configuration/" &_ 
"smtpserverport") = 25 
objMessage.Configuration.Fields.Item _ 
("http://schemas.microsoft.com/cdo/configuration/" &_ 
"smtpusessl") = False
objMessage.Configuration.Fields.Item _ 
("http://schemas.microsoft.com/cdo/configuration/" &_ 
"smtpconnectiontimeout") = 60
objMessage.Configuration.Fields.Update


objMessage.AddAttachment "c:\logs\db02-security.txt"


objMessage.Send
end function


#5 Zak

Zak

    Administrator

  • Root Admin
  • PipPipPip
  • 747 posts
  • Gender:Male

Posted 16 December 2010 - 03:14 AM

Seems like a good solution. Anyway, as the program allows to run external applications, batch files and scripts, it can be customized to many different needs.
Softinventive Lab support

#6 fraew

fraew

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 06 January 2011 - 12:47 PM

This works most of the time, but i've encountered an issue with my system logs, and I think other event logs when i have consecutive failed polls. below is a screen grab of an error that pops up; I believe due to the vbscript:

Posted Image

Is this a TNM issue, or something wrong with my vbscript? My assumption is that PSLogList is still writing to the log file before TNM (and my vbscript) attempts to email the file, does the 2nd step in an action wait for the first to complete? If not by default, is there a way to make it wait?

#7 fraew

fraew

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 06 January 2011 - 01:15 PM

ok so it seems like psloglist is getting stuck somewhere along the line (the actual log file is in use and psloglist.exe is a still running task process), i've updated the batch to clear the log file and reduce the check to the last 10 mins; hopefully that'll resolve the problem.

#8 Zak

Zak

    Administrator

  • Root Admin
  • PipPipPip
  • 747 posts
  • Gender:Male

Posted 10 January 2011 - 02:39 AM

The actions are executed all at once. In the future versions I think it will be necessary to add a possibility to execute them one by one, but currently there is no way to do that (except placing everything you need to do into one batch file).
Softinventive Lab support

#9 fraew

fraew

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 11 January 2011 - 12:04 PM

Revised, all-in-one function. Works a treat!

function Main

Set objMessage = CreateObject("CDO.Message") 

objMessage.Subject = "DB01 New System Log" 
objMessage.From = "Monitor@myemail.com" 
objMessage.To = "me@myemail.com" 

dim WshShell, oExec
Set WshShell = CreateObject("WScript.Shell")
Set oExec = WshShell.Exec("C:\PSTools\psloglist.exe " &_
"-m 10 -f e -c system")

objMessage.TextBody = oExec.StdOut.ReadAll


Const cdoSendUsingPickup = 1
Const cdoSendUsingPort = 2
Const cdoBasic = 1 

objMessage.Configuration.Fields.Item _ 
("http://schemas.microsoft.com/cdo/configuration/" &_ 
"sendusing") = 2 
objMessage.Configuration.Fields.Item _ 
("http://schemas.microsoft.com/cdo/configuration/" &_ 
"smtpserver") = "SMTPSERVER-IPADDRESS"
objMessage.Configuration.Fields.Item _ 
("http://schemas.microsoft.com/cdo/configuration/" &_ 
"smtpauthenticate") = cdoBasic
objMessage.Configuration.Fields.Item _ 
("http://schemas.microsoft.com/cdo/configuration/" &_ 
"sendusername") = "SMTPUSERNAME"
objMessage.Configuration.Fields.Item _ 
("http://schemas.microsoft.com/cdo/configuration/" &_ 
"sendpassword") = "SMTPPASSWORD"
objMessage.Configuration.Fields.Item _ 
("http://schemas.microsoft.com/cdo/configuration/" &_ 
"smtpserverport") = 25 
objMessage.Configuration.Fields.Item _ 
("http://schemas.microsoft.com/cdo/configuration/" &_ 
"smtpusessl") = False
objMessage.Configuration.Fields.Item _ 
("http://schemas.microsoft.com/cdo/configuration/" &_ 
"smtpconnectiontimeout") = 60
objMessage.Configuration.Fields.Update

objMessage.Send

end function





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users