In the Configure SNMP and WMI for Windows section of Chapter 2, Discovering Devices we discussed setting up Windows Management Instrumentation (WMI). If WMI is not yet installed, take a few moments to review the instructions in Chapter 2,
Unlike syslog, which logs messages directly to a remote host, Zenoss Core has to connect to the Windows server to pull entries from the Event Log—at least that's the default behavior we will explore in this section. There are third party applications that will log Windows event logs to remote syslog servers such as Zenoss Core. This allows zensyslog to process the messages, and you could use event mappings to make sure the events from the Windows server get associated with an appropriate event class.
If you have a Windows server available, open it in Zenoss Core so we can configure Event Log monitoring:
Next, we need to configure the appropriate device zProperties (Configuration Properties) to connect to the Windows machine and monitor the event logs. From the device's overview page, select Configuration Properties and enter the following configuration:
DOMAINuser
. user
.By default, Zenoss Core collects the Windows events with a minimum severity of warning. But we can change that by specifying a value in zWinEventlogMinSeverity. The following table shows the available event log severities:
Event Log Severity |
Description |
---|---|
1 |
Error |
2 |
Warning |
4 |
Informational |
8 |
Security Audit Success |
16 |
Security Audit Failure |
Windows provides a tool called eventcreate.exe
that we can use to generate system events and test our Event Log setup. To test, run the following commands from a Windows device where Zenoss Core is monitoring the Event Log:
eventcreate /t error /l system /id 500 /d "test message"
eventcreate /t error /id 501 /d "another test message"
eventcreate /?
Let's look at the command syntax. We use the /t
option to specify the severity, /l
to specify either the application or the system message, /id
to create an event ID, and /d
to include a message. The first command creates a system error message with an ID of 500, while the second command creates an application error message with an ID of 501. The third command displays the eventcreate.exe
help page.
3.137.181.66