Monitoring Windows Event Logs for Warnings and Errors.

Learn how to monitor Windows Event Log to receive alerts and notifications when event with specified id appears.

Monitoring Windows Event Log entries by category

All Windows events are classified and grouped by category, for example, Application, System, Security, etc. You can see them in Windows Event Viewer.

For this example, we will use the Security Log:

1. Go to MonitoringMonitoring Packs & Policies and create New Monitoring Pack.
2. Select the Alerting & Data Collection tab and use Add Alert button.
3. Choose the Windows category and double-click on New Event for Received Windows Event Log Entry.
4. In Alerting Rule window in Windows Event Log file field, select Security.

5. In the Expression field, select Event Type equal Error. Add condition Event Type equal Warning and change all to any in the condition clause to include any of these types of entries.

6. (Optional) You can change the detection severity of the event if default Warning does not fit your needs. This setting will dictate the use of appropriate Alert Escalation Script.

7. Assign nodes to this Monitoring Pack and save Monitoring Pack settings.

By default, when any Warning or Error event occurs on assigned Windows machines, NetCrunch will generate the alert (or status change) and write the notification to the NetCrunch View Event Log.

Defining how NetCrunch should react to occurring event

How NetCrunch reacts to detection can be customized by first creating or modifying an Alert Escalation Script and then assigning it to a particular Alert.

1. Go to Monitoring Alert Escalation Scripts and use the Add Alerting Script button.
2. Set script name (or leave a default one) and Add Action to Run Immediately.
3. Choose Notify user or group action.
4. In action parameters, choose the profile you want to send notifications to which.
5. Save Alerting Script settings.
6. Go to MonitoringMonitoring Packs & Policies and choose early created monitoring pack.
7. In Alerting & Data Collection tab, right-click on alert, hover on Assign Predefined Alerting Script and choose previously defined alerting script.
8. Save Monitoring Packs settings.

Alert Escalation Scripts can be unique and customized per alert, which allows NetCrunch to react uniquely to a broad range of detections.

*Manage Notification profile configuration using ToolsUser & Access Rights Manager: select user and add a notification profile. Provide the user's email address and choose the desired message format. You can also specify Time Restrictions when NetCrunch can send notifications.

Monitoring Windows Event Logs for a single event

In this scenario, an alerting rule is created to detect a failed credential validation event or failed the user-password challenge. This rule can be specified by EventID, rather than by category, and uses a threshold to eliminate needless alerts.

1. Go to MonitoringMonitoring Packs & Policies and create New Monitoring Pack.
2. Switch to Alerting & Data Collection tab and use Add Alert button.
3. Select Windows tab and double-click on New Event for Received Windows Event Log Entry.
4. In Alerting Rule window in Windows Event Log file field select Security.
5. In the Expression field, select Event Identifier and equal, type 4625.

6. In the section Trigger Alerting Actions On select Event happened more than and chose e.g.,5 times in last 2 minutes.

7. (Optional) You can change the severity of this event, too, e.g., Critical.

8. Assign nodes to this Monitoring Pack and save Monitoring Pack settings.

You can also assign a unique alerting script with actions.

Read more about Windows security events in the following articles:

• Microsoft Support - Description of security events in Windows 7 and in Windows Server 2008)

• Ultimate IT Security - Windows Security Log Events

event+logwindows