Re: Flexibility of Eventriggers in Win2003 - query on source + wil

Hi,

Thanks for your input Herb. Ironically I figuerd out a solution on the way
home on the train (as is often the case with these things!) and have
implemented it in our test environment.

The particular product that I am monitoring actually writes its main log
entries to simple text files that I can (and do) easily interogate. The name
or location of these files never changes. The problem I had however was that
occasionally the product would have a serious issue and windows itself would
create a log entry in the application log under the product name and version
as the source. The product actually recovers (to a point) and for all intense
purposes appears to carry on as normal. Its not until a few days that this
'walking wounded' state gets so bad that we start to notice slow downs and
other more obvious errors occuring. The fix is to stop one of the core
services so that it can then be restarted cleanly. This is easy to do any
takes less than 5 minutes. The pain being that when the service goes down
1500 users are immediately affected and when it does die it usually does so
in the peak of the day since user load appears to be factor in its death
throes.

By having the early warning from the event trigger we can bounce it
gracefully during the following evening affecting only very few users.

Anyhoo. The solution I found might be helpful to others.

I created a very broad event trigger that looks only at entries of /EID "3"
and /T "Error" /L "Application". Our servers actually get very few of these
so the potential load of this trigger is trivial since it wil seldom get
triggered and probably never in rapid sucession.

The event trigger runs a batch file that then calls a vbs script that uses
WMI to interogate the event log directly pulling out the last few entries.
(currently set to look at the last 5 minutes of the event log, but I will
probably narrow it down to the last few seconds so I can be confident I only
get the entry I want)

The WMI query uses the wildcard I wanted to use in the first place to search
for the specific events I am interested in, this way if the script is
triggered by a log entry I am not interested in it won't return any rows and
I can terminate the script then and there without sending any email.

If an entry is returned the script pulls out all the detail, formats it into
a string and emails to our admin address using blat.

The script works, but it needs a bit of polish before I put it into
production.
Namely to tweak it so that it will check to see if it has sent the admin
account an email recently and if so not to send another email (Say the last
15 mins) this way I can ensure that the admin account isn't going to get mail
bombed.)

So this is actually a better reuslt in many ways since I can keep the
trigger very simple (ie reuse it on other servers with little or no
modifcation) and keep all the logic in the script where its easier to
maintain and adjsut to get exactly what we want.

Thanks very much for your answer though, it was good to get confirmation.

Hopefully if anyone else has this problem they will find this post and save
themselves some time.

=)

G.
--
A Sys Admin is me!


"Herb Martin" wrote:


"Gary" <Gary@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:3673DBC4-37D0-4328-9FB3-0E8ECC1E0818@xxxxxxxxxxxxxxxx
Hi,

I am setting up some eventriggers on some of my Win2003 servers to alert
me
when particular errors occur.

The errors will have the following format in the event log:
/L "APPLICATION" /SO "<productname> <version>" /EID "3" /T "ERROR"

The <productname> will always be the same, but the version number varies
depending on which compoent has an issue.

I am pretty sure the answer is no -- you can try it fairly easily. No one
likely
every considered that a product would be designed with version specific
event LOGS.

Seems like the application's event handling is badly designed. In server
product (even a client application too problem but most event logs will
go to services) it would be odd for two versions to be running on the
same machine, and as you say, the info could have been encoded in the
event itself.

You can however (I am pretty sure) specify no log for watching them
all, and as long as the event IDs used by the app are unique you would be
good to go.



.

Relevant Pages

  • Re: WS 2007: Invalid event xml: %1 warning in the event log
    ... notificaiton. ... when i perform an activity that seems to trigger an email, ... shows up in the event log. ... I have a server that continually logs this warning in the application ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: Tracking table changes??
    ... Depends on what you want tracked but a trigger can usually do the trick. ... You can use RAISERROR with the WITH LOG option to place an entry in the ... event log. ...
    (microsoft.public.sqlserver.tools)
  • Re: Capture Killed Process from Task Manager
    ... but I am trying to post to the event log that the application was ... "Dave" wrote: ... >> I just need to know where in my code I trigger the event logging routine. ...
    (microsoft.public.vb.general.discussion)
  • Re: Fatal communication error with the WWW Publishing Service
    ... I get another error logged in the event log. ... What could possibly trigger these two message at the same time? ... Best regards, ... Thomas ...
    (microsoft.public.inetserver.iis)
  • Re: Flexibility of Eventriggers in Win2003 - query on source + wil
    ... I created a very broad event trigger that looks only at entries of /EID ... The event trigger runs a batch file that then calls a vbs script that uses ... Namely to tweak it so that it will check to see if it has sent the admin ...
    (microsoft.public.windows.server.general)