$('a[name]').remove(); $('#ic-homepage__footer').before('
'); $("#tabs").tabs({ selected: 1 }); $("#ic-homepage__ic-tips").append( quickTipHTML() ); unhideOneProductTip(); $("#ic-homepage__product-tips").wrapInner('
'); $("#ic-homepage__feed-tips").wrapInner('
'); });
IBM Tivoli Monitoring > Version 6.3 > User's Guides > Log File Agent User's Guide IBM Tivoli Monitoring, Version 6.3
Windows 2008 event log
This section describes how the Tivoli Log File Agent monitors events from the Windows event log
The Tivoli Log File Agent continues to use the WINEVENTLOGS configuration (.conf) file option to monitor events from the Windows event log. The agent monitors a comma-separated list of event logs as shown in the following example:
WINEVENTLOGS=System,Security,Application
The Tivoli Log File Agent also continues to use the WINEVENTLOGS=All setting. The All setting refers to the following standard event logs: Security, Application, System, Directory, Domain Name System (DNS), and File Replication Service (FRS) that come with Windows versions before 2008. However, all the event logs on the system are not checked.
There is a configuration file tag called UseNewEventLogAPI. This tag allows the event log (Windows event log 2008 or later) to access any of the new logs added by Microsoft, and any Windows event logs created by other applications or created by the user. The new logs are listed by the WINEVENTLOGS keyword.
In the following example, the UseNewEventLogAPI tag is set to y.
UseNewEventLogAPI=y WINEVENTLOGS=Microsoft-Windows-Hyper-V-Worker-Admin
In this example, the Microsoft-Windows-Hyper-V/Admin is monitored on a Windows system that has the Hyper-V role.
In the Windows event log, each event has the following fields in this order:
- The date in the following format: month, day, time, and year.
- The event category is an integer.
- Event Level
- Windows security ID. Any spaces in the Windows security ID are replaced by an underscore if SpaceReplacement=TRUE in the configuration (.conf) file.
SpaceReplacement=TRUE is the default if you set UseNewEventLogAPI to y in the (.conf) file (designated that you are using the 2008 event log).
- Windows source. Any spaces in the Windows source are replaced by an underscore if SpaceReplacement=TRUE in the configuration (.conf) file.
- Windows event log keywords. Any spaces in the Windows event log keywords are replaced by an underscore if SpaceReplacement=TRUE in the configuration (.conf) file.
The keyword field described here is new to the Windows 2008 version of event log. It did not exist in the previous event log, and so its presence prevents you from reusing your old Event Log format statements directly. They need to be modified to account for this additional field.
- Windows event identifier
- Message text
For example, when an administrative user logs on to a Windows 2008 system, an event is generated in the Security log indicating the privileges that are assigned to the new user session:
Mar 22 13:58:35 2011 1 Information N/A Microsoft-Windows- Security-Auditing Audit_Success 4672 Special privileges assigned to new logon. S-1-5-21-586564200-1406810015-1408784414-500 Account Name: Administrator Account Domain: MOLDOVA Logon ID: 0xc39cb8e Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege
To capture all the events that been created by the Microsoft-Windows-Security-Auditing event source, you write a format statement as shown here:
REGEX BaseAuditEvent ^([A-Z][a-z]{2} [0-9]{1,2} [0-9]{1,2}:[0-9]{2}:[0-9]{2} [0-9] {4}) [0-9] (\S+) (\S+) Microsoft-Windows-Security-Auditing (\S+) ([0-9]+) (.*) timestamp $1 severity $2 login $3 eventsource "Microsoft-Windows-Security-Auditing" eventkeywords $4 eventid $5 msg $6 ENDFor the previous example event, the following example indicates the values that are assigned to slots:
timestamp=Mar 22 13:58:35 2011 severity=Information login=N/A eventsource=Microsoft-Windows-Security-Auditing eventid=4672 msg="Special privileges assigned to new logon. S-1-5-21-586564200-1406810015-1408784414-500 Account Name: Administrator Account Domain: MOLDOVA Logon ID: 0xc39cb8e Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege
Since it is difficult to anticipate exactly what these events look like, a useful approach to writing your regular expressions is to capture the actual events in a file. Then you can examine the file, choose the events you would like the agent to capture, and write regular expressions to match these events. To capture all the events from your Windows event log, use the following steps:
- Create a format file that contains only one pattern that does not match anything, as shown in the following example:
REGEX NoMatch This doesn't match anything END
- Add the following setting to the configuration (.conf) file:
UnmatchLog=C:/temp/evlog.unmatch
- Run the agent and capture some sample events.