In the Configure SNMP and WMI for Windows section of Chapter 2, Discovering Devices we discussed setting up Windows Management Instrumentation (WMI). If WMI is not yet installed, take a few moments to review the instructions in Chapter 2,
Unlike syslog, which logs messages directly to a remote host, Zenoss Core has to connect to the Windows server to pull entries from the Event Log—at least that's the default behavior we will explore in this section. There are third party applications that will log Windows event logs to remote syslog servers such as Zenoss Core. This allows zensyslog to process the messages, and you could use event mappings to make sure the events from the Windows server get associated with an appropriate event class.
If you have a Windows server available, open it in Zenoss Core so we can configure Event Log monitoring:
- From the devices page, select Add WinService from the Add Component menu.
- In the Add WinService dialog box, enter Eventlog:
- Click Submit to add the service to the device. You will also notice that a new group of Components have been added to the device, called Windows Services.
- When you add the service it will inherit the service class' default monitoring value. So we need to ensure monitoring is enabled. Click on Windows Services from the device's Components. Then click on the Eventlog service to display its configuration.
- Under the heading Enable Monitoring, select Yes from the Set Local Value drop-down list.
- Click on Save.
Next, we need to configure the appropriate device zProperties (Configuration Properties) to connect to the Windows machine and monitor the event logs. From the device's overview page, select Configuration Properties and enter the following configuration:
- Set zWinEventlog to True.
- Set zWinPassword to the password of the zWinUser.
- Set zWinUser to a user who has administrative access to the Windows server.
- For a domain user, specify
DOMAINuser. - For a local user, specify
user. - Set zWmiMonitorignore to False.
By default, Zenoss Core collects the Windows events with a minimum severity of warning. But we can change that by specifying a value in zWinEventlogMinSeverity. The following table shows the available event log severities:
|
Event Log Severity |
Description |
|---|---|
|
1 |
Error |
|
2 |
Warning |
|
4 |
Informational |
|
8 |
Security Audit Success |
|
16 |
Security Audit Failure |
Windows provides a tool called eventcreate.exe that we can use to generate system events and test our Event Log setup. To test, run the following commands from a Windows device where Zenoss Core is monitoring the Event Log:
eventcreate /t error /l system /id 500 /d "test message"
eventcreate /t error /id 501 /d "another test message"
eventcreate /?
Let's look at the command syntax. We use the /t option to specify the severity, /l to specify either the application or the system message, /id to create an event ID, and /d to include a message. The first command creates a system error message with an ID of 500, while the second command creates an application error message with an ID of 501. The third command displays the eventcreate.exe help page.