Event Monitor looks at the event logs for a specified event, or lack of that event, within a given time period in order to trigger one or more actions.
When a new event occurs, it is checked against the Filters assigned to the Event Monitor. If it matches at least 1 Include Filter and no Exclude Filters, then the configured Action will be triggered. If the event does not match an Include Filter, or matches an Exclude Filter, the event will be skipped. This is true for both Service Agents and Virtual Agents.
When using Event Monitors, there are two important issues:
1.On very busy systems that generate many event log records, the Event Monitor may not be able to keep up in real-time. There is a finite amount of data that can be collected and stored in a single monitor item interval. This means that there can be some lag time between when an event is logged to the event log and when it is received by the ELM Server. When collecting events, the Event Monitor bookmarks the last record read so that it knows where to start reading at its next Scheduled Interval.
On very busy systems, especially domain controllers with high levels of auditing enabled, it is possible for the Event Monitor bookmark to roll off the event log before the records can be collected. If this happens, the bookmark is automatically reset at the most recent event. Any events that occurred between the old bookmark that rolled off the log and the new bookmark will not be collected.
To prevent this from happening, we recommend setting the size of your event logs to a large enough value so that they hold at least 24 hours of event data. A large event log size should prevent the loss of a bookmark and allow the Event Monitor to monitor all events.
2.When using multiple Event Monitors or Event Collectors on the same Agent, any one of these Monitor Items can request that event logs be read. The request is initiated only if Scheduled Hours are "on" plus a Scheduled Interval has passed for the individual Monitor Item. Any request will cause the event logs to be read starting from the saved bookmarks, passing new events to all Event Monitors and Event Collectors for the Agent, and then updating the bookmarks. In the case of Event Collectors, they check only their Event Criteria before deciding to process a new event. They do not check their Scheduled Hours. In the case of Event Monitors, they check both their Event Criteria and their Scheduled Hours before deciding to process a new event.
Note: If ELM is running on Windows Server 2003 or Windows XP, and it's deployed a Virtual Agent to a Windows Vista or above version of Windows, the Event Collector will not be able to be assigned to it. The ELM Console will disallow the assignment due to the lack of support in Windows Server 2003 and Windows XP for Vista and newer Event Logs.
Actions
•Events not found (Warning) 5307 - An event matching the Event Filter Criteria was not found within the Scheduled time period.
•Events found (Informational) 5306 - An event matching the Event Filter Criteria was found within the Scheduled time period.
Monitory Category
Displays the Monitoring Categories to which the Monitor item is assigned. Click to select or deselect Monitoring Categories. Click New to create or Properties to Edit Monitoring Categories.
Agents
Displays the Agents to which the Monitor item is assigned. Click to select or deselect individual agents. Click New to deploy an agent or Properties to View/Edit an existing agent.
Schedule
Displays the Scheduled Interval and Scheduled Hours settings which control the frequency for the Monitor Item.
Scheduled Interval tab
Specify the interval at which the monitoring, polling or action is to occur. Depending on the Monitor Item type, Items can be scheduled in interval increments of Seconds, Minutes, Hours and Days. The Scheduled Interval is relative to the top of the hour or top of the minute. For example, if a Scheduled Interval is configured for 10 minutes, the Monitor Item will execute at hh:10:00, hh:20:00, hh:30:00, hh:40:00, hh:50:00, h1:00:00, etc. If a Scheduled Interval is configured for 15 seconds, the Monitor Item will execute at hh:00:15, hh:00:30, hh:00:45, hh:01:00, hh:01:15, etc.
Scheduled Hours tab
Select the days and/or hours this item is active. By default, the schedule is set to ON for all hours and all days. Mouse clicks toggle squares between ON and OFF. Clicking on an individual square will toggle the active schedule for that hour. Clicking on an hour at the top of the grid, or on a day of the week at the left of the grid will toggle the corresponding column or row. Keyboard equivalents are the arrow keys and the space bar.