Re: Flexibility of Eventriggers in Win2003 - query on source + wil
- From: "Herb Martin" <news@xxxxxxxxxxxxxx>
- Date: Tue, 6 Feb 2007 08:46:10 -0600
"Gary" <Gary@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:53775A6F-C7A5-44D7-98BB-CAA642A173BA@xxxxxxxxxxxxxxxx
Hi,
Thanks for your input Herb. Ironically I figuerd out a solution on the way
home on the train (as is often the case with these things!) and have
implemented it in our test environment.
The particular product that I am monitoring actually writes its main log
entries to simple text files that I can (and do) easily interogate. The
name
or location of these files never changes. The problem I had however was
that
occasionally the product would have a serious issue and windows itself
would
create a log entry in the application log under the product name and
version
as the source. The product actually recovers (to a point) and for all
intense
purposes appears to carry on as normal. Its not until a few days that
this
'walking wounded' state gets so bad that we start to notice slow downs and
other more obvious errors occuring. The fix is to stop one of the core
services so that it can then be restarted cleanly. This is easy to do any
takes less than 5 minutes. The pain being that when the service goes down
1500 users are immediately affected and when it does die it usually does
so
in the peak of the day since user load appears to be factor in its death
throes.
By having the early warning from the event trigger we can bounce it
gracefully during the following evening affecting only very few users.
Anyhoo. The solution I found might be helpful to others.
I created a very broad event trigger that looks only at entries of /EID
"3"
and /T "Error" /L "Application". Our servers actually get very few of
these
so the potential load of this trigger is trivial since it wil seldom get
triggered and probably never in rapid sucession.
The event trigger runs a batch file that then calls a vbs script that uses
WMI to interogate the event log directly pulling out the last few entries.
(currently set to look at the last 5 minutes of the event log, but I will
probably narrow it down to the last few seconds so I can be confident I
only
get the entry I want)
The WMI query uses the wildcard I wanted to use in the first place to
search
for the specific events I am interested in, this way if the script is
triggered by a log entry I am not interested in it won't return any rows
and
I can terminate the script then and there without sending any email.
If an entry is returned the script pulls out all the detail, formats it
into
a string and emails to our admin address using blat.
The script works, but it needs a bit of polish before I put it into
production.
Namely to tweak it so that it will check to see if it has sent the admin
account an email recently and if so not to send another email (Say the
last
15 mins) this way I can ensure that the admin account isn't going to get
bombed.)
Why not check for a scheduled restart and if not, both email the admin
and schedule the restart for late at night?
So this is actually a better reuslt in many ways since I can keep the
trigger very simple (ie reuse it on other servers with little or no
modifcation) and keep all the logic in the script where its easier to
maintain and adjsut to get exactly what we want.
Thanks very much for your answer though, it was good to get confirmation.
Hopefully if anyone else has this problem they will find this post and
save
themselves some time.
.
- References:
- Prev by Date: Re: Windows 2003 RDP remote desktop problem for just one account
- Next by Date: Re: Active Directory Damaged
- Previous by thread: Re: Flexibility of Eventriggers in Win2003 - query on source + wil
- Next by thread: Upgrade of Windows 2000 Servers to 2003 & Exchange 2003
- Index(es):
Relevant Pages
|
Loading
