Event Log Check

The Event Logs contain detailed system status data that is written to the logs by applications and Windows components.

The Event Log Check monitors the Event Logs, and you can configure it to query a specific Event Log based on Event ID, Event Type, Event Source and Description. The Event Log Check generates alerts where the specified information is, or is not, discovered in an Event Log entry.

The recorded date and time for a discovered Event is based on the local time of the device and not your N-sight RMM timezone.

You can add, edit, or delete multiple Event Log Checks on the same device for 24x7 and Daily Safety Checks.

For Application and Security Event Logs, the Event Log Check only retrieves information from the root level. It does not query sub-level logs.

You can view details of the Check result output in the More Information section of the Checks tab along with links to the following resources for further information on the Event: EventID.net, Google, Bing, Microsoft or Yahoo

Add an Event Log Check

  1. On the All Devices view North-pane, select the device
  2. Go to the Checks tab and click Add Check
  3. Choose Add DSC Check > Event Log Check
  4. Configure settings (covered below)
  5. To run an Automated Task when the Check fails choose Assign a Task after creating the Check
  6. OK to save and apply
  7. Where Assign a Task after creating the Check is selected:
    1. Select the script
    2. Click Next to configure
  8. Enter the Command Line parameters (if required)
  9. Set a Script timeout in the range 1 - 3600 seconds (default 120 seconds)
  10. Click Finish to save and apply

Event Log Check configuration settings

Setting Description
Descriptive Name Enter a meaningful name to identify the check on the All Devices view and in Alerts and Reports.
Event Log to query Select the target Event Log from the drop-down menu.

The Agent automatically detects the installed Event Logs and uploads them to the All Devices view.

Alert when Select when an alert is generated.

Choose to Alert when the Log contains the information in the check or the Log does not contain the information in the check.

Event ID(s) The Event identification number. Event ID numbers may be Event specific or associated with multiple Events. For multiple Event IDs, separate each Event ID by a comma.

Supports wildcards (*) to search for any entries in these fields.

Event Type Select one or more of the following Event Types to indicate the Event Log entry severity:
  • Information: Describes the successful operation of an application, driver, or service
  • Error: Indicates a significant problem such as loss of data or loss of functionality
  • Warning: Indicates the event is not necessarily significant, but it may indicate a possible future problem
  • Success Audit: Records a successful audited security access attempt
  • Failure Audit: Records an unsuccessful audited security access attempt
  • Success/None: Indicates the completion status (custom Event Type)
Event Source The application or Windows component that generated the Event

Supports wildcards (*) to search for any entries in these fields.

Message contains string Configure the Check to search for specific text within the Event description to monitor its state

Supports wildcards (*) to search for any entries in these fields. For example, drive * failed.

Apply Critical Events Exclusion List Tick this box to ignore Events already on the Critical Event Exclusion list
Exclude Events from Check You can create an exclusion list for the specific Event Log Check .

Click Exclude Events from Check, click Add, and enter the Event Source and Event ID to ignore.

You can also manage the Exclusion List. Highlight the target Event Source, and then select Edit or Delete.

Edit an Event Log Check

  1. On the All Devices view North-pane, select the device
  2. Go to the Checks tab
  3. Select the target Event Log Check
  4. From the Check drop-down
  5. Click Edit Check (also available from the Check's right-click menu)
  6. Configure the settings
  7. Click OK to save and apply

Delete an Event Log Check

  1. On the All Devices view North-pane, select the device
  2. Go to the Checks tab
  3. Select the target Event Log Check
  4. From the Check drop-down
  5. Click Delete Check (also available from the Check's right-click menu)
  6. Enter the password you used to sign into N-sight RMM to confirm removal
  7. Click OK to delete