|
<< Click to Display Table of Contents >> Navigation: ELM Console (MMC) > Monitoring and Management > Agents and Monitors Library > All Monitors > Event File Collector |
Event File Collector Monitor Items collect Event Log Files (.EVT and .EVTX) from the Agents being monitored.
The Event File Collector operates at a scheduled interval (the default is every 24 hours). At each interval, the Event File Collector will attempt to talk with the Log service, select the appropriate log files and then copy the specified Event Log Files from the assigned Agents to a defined storage location. The files will be stored by default under the ELM Enterprise Manager installation folder in a sub-directory named EVT Files. This location can be modified on the Behavior tab of the Event File Collector properties.
Displays the Available Logs the Collector is configured to copy and store. By default, the list of Selected Logs contains an asterisk, so the Monitor will collect all log files possible. Specific logs can replace the asterisk to collect a subset of log files. Use the check boxes to select the logs you want collected.
To list logs from another system, click the Choose log source button and type the name of the server to retrieve the log list.
All events may be cleared from the selected logs after collection by checking the box labeled Clear Logs after collection.
Note
When clearing the event logs, if an Agent is also running any Event Collectors or Event Monitors, then the Event File Collector passes any un-read events to them for processing. This may result in events being collected outside of the configured Event Collector or Event Monitors Scheduled Interval.
On Windows 2008, Windows 7, and Vista systems, only logs under the registry key
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog
can be collected.
Windows 2008, Windows 7, and Vista event logs can be collected, but if they are stored on an older Windows system, they cannot be read by the older Windows Event Viewer.
This tab configures where an how to store collected log files.
•The Destination Folder controls where to save collected Log files. This can be any existing folder local to the ELM Server.
•The setting Minimum Free Space Allowed For Evt File Storage protects free space on the drive hosting the Destination Folder. If the free space on the drive drops below this value, then the ELM Server will stop saving .evt files it receives from an Agent. When this happens, ELM will generate the error event 5595, with a message indicating it's unable to store the event file.
•Log Files may be compressed for storage by checking the Compress Evt Files checkbox.
A cryptographic hash may be created for collected log files to help verify the log file remains unchanged. Note that both the collected log file and the hash file should be secured from tampering.
•Check the box labeled Create MD5 Hash File.
ELM includes a tool to help verify hashed files. It is called ELM Event File Verifier, and it can be found in Windows Start Menu > All Programs > ELM Enterprise Manager, or in ELM Dashboard > Menu > Tools. Click to launch the tool.
There are two options:
•Enter a log file name in the File field to select a collected event log. You can also click the ellipsis button to browse to a file. Uncompress will unpack compressed .gz files.
•Enter an md5 file name in the .Md5 File field to select a companion hash file. You can also click the ellipsis button to browse to the file. Click the Verify button to test the file.
The hash value for a collected file can also be calculated with the Microsoft File Checksum Integrity Verifier tool. Please see Microsoft Knowledge Base article 841290 for more details.
•Copy File Error (Error) 5576 - The selected Event Log file has NOT been successfully copied.
•Copy File Success (Informational) 5575 - The selected Event Log file has been successfully copied.
•Store File Error (Error) 5578 - The selected Event Log file has NOT been successfully stored.
•Store File Success (Informational) 5577 - The selected Event Log file has been successfully stored.
Additionally, the Event File Collector may create one or more of the following events:
•Agent Save File Error (Error) 5316 - The ELM Agent's install directory does not have enough free space. No event log files will be collected until this much space is available.
•Store File Warning (Warning) 5594 - A cryptographic hash of the selected Event Log file has NOT been successfully created.
•Store File Error (Error) 5595 - The selected Event Log file has NOT been successfully stored because of low disk space.
Displays the Monitoring Categories to which the Monitor item is assigned. Click to select or deselect Monitoring Categories. Click New to create or Properties to Edit Monitoring Categories.
Displays the Agents to which the Monitor item is assigned. Click to select or deselect individual agents. Click New to deploy an agent or Properties to View/Edit an existing agent.
Displays the Scheduled Interval and Scheduled Hours settings which control the frequency for the Monitor Item.
Specify the interval at which the monitoring, polling or action is to occur. Depending on the Monitor Item type, Items can be scheduled in interval increments of Seconds, Minutes, Hours and Days. The Scheduled Interval is relative to the top of the hour or top of the minute. For example, if a Scheduled Interval is configured for 10 minutes, the Monitor Item will execute at hh:10:00, hh:20:00, hh:30:00, hh:40:00, hh:50:00, h1:00:00, etc. If a Scheduled Interval is configured for 15 seconds, the Monitor Item will execute at hh:00:15, hh:00:30, hh:00:45, hh:01:00, hh:01:15, etc.
Select the days and/or hours this item is active. By default, the schedule is set to ON for all hours and all days. Mouse clicks toggle squares between ON and OFF. Clicking on an individual square will toggle the active schedule for that hour. Clicking on an hour at the top of the grid, or on a day of the week at the left of the grid will toggle the corresponding column or row. Keyboard equivalents are the arrow keys and the space bar.