It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Campus Barracuda Campus
Barracuda RMM
formerly Managed Workplace
Overview Documentation Training Certification Materials

Adding a Monitor for Windows Events

  • Last updated on

A Windows Events monitor collects events from the Windows Events logs, which contain significant events on the computer. Typically these events are used to troubleshoot or monitor the health of the system or applications. When creating a Windows Events monitor, you can:

  • Choose to monitor the application, system, or security event log, or a tiered event log.
  • Select multiple event sources, IDs, and levels to monitor.
  • For event IDs, specify a range of IDs to monitor, and specify IDs to exclude from monitoring.
  • Search for event details.
Monitoring Tiered Event Logs

You can monitor the tiered Windows Event logs available in NT 6.0 and later, by specifying the log name when creating the Windows Events monitor. When specifying a tiered event log, do not use the event log names and sources that appear on the General tab of the Windows Event Viewer, as they may not accurately reflect the true values for these boxes. It is recommended that you open the XML view of the event, and use the Channel and Provider Name specified on the Details tab. For example, for a Hyper-V event log, the channel is "Microsoft-Windows-Hyper-V-Worker-Admin" and the provider name is "Microsoft-Windows-Hyper-V-Worker".

To monitor the tiered Windows Event logs in NT 6.0 and later remotely, you must modify the managed device firewall rules to permit Remote Event Log Management. To confirm that the remote device firewall permits remote event log management, on the managed device, navigate to Control Panel > All Control Panel Items > Windows Firewall > Allowed Programs.

Windows Events monitors vs. Legacy Windows Events monitors

Windows Events monitors created in versions previous to Barracuda RMM 2013 R1 are referred to in Service Center as Legacy Windows Events monitors. These monitors contain limited configuration capabilities compared to the Windows Events monitors introduced with Barracuda RMM 2013 R1. You can continue to use these monitors in your monitoring and alerting configuration, and you can change their configuration, however they cannot be created going forward.

Event suppressions in Legacy Windows Events monitors might override events specified for monitoring in a Windows Events monitor. For example, a Legacy Windows Events monitor has been configured to monitor the Application log but to suppress event ID 1309. You then create a new Windows Events monitor to collect events from the Application log, with the event source ASP.NET 2.0, and any event ID. Then, event IDs 1309 and 1310 are triggered, both collected from the Application log, with event source ASP.NET 2.0. Event ID 1309 will not be collected, due to the suppression of that event ID in the legacy monitor.

Windows Events monitors can be added to devices individually and added to monitoring policies.

 

To  add  a  monitor  for  Windows  Events

You can use the Barracuda RMM Remote Tool Event Viewer to view what events are typical on a system. The Event Viewer is available by going to a device overview page and clicking Remote Tools from the right sidebar. See Using Event Viewer.

  1. Do one of the following:
    • To add the monitor to a policy, in Service Center, click Service Delivery Policies > Monitoring. Click the name of the monitoring policy. Click the Monitors tab.
    • To add the monitor to a device directly, in Service Center, click Configuration > Alerting  > Monitor & Alert Rules. From the Site list, select the site where the device is located. From the Device list, select the device to which you want to add a monitor.
  2. Click Add Monitor.

  3. Select Windows Events from the list

    This option will not be available if the selected device does not support WMI.

  4. Click Add Monitor.
  5. In the Monitor tab, type a title for the monitor.
  6. Optionally, type a description for the monitor.
  7. Ensure the Enabled check box is selected to turn monitoring on.
  8. Do one of the following:
    • To monitor all event levels, select the All option button.
    • To monitor specific event levels, select the Specify Level option button, then select the check box beside each event level that you want to monitor.

    Tiered logs and Critical and Verbose event levels can only be collected from devices running Windows Vista, Windows 8, or higher, and are not collected if the Onsite Manager operating system is pre-Windows 8.

  9. Do one of the following:
    • To select one of the most common Windows Event log to monitor, select it from the Event Log list.
    • To specify a tiered Windows Event log to monitor, select (Specify Log) and type the full name of the log in the Log Name box. For example, to collect Bits-Client Operational events, type "Microsoft-Windows-Bits- Client/Operational".
  10. Do one of the following:
    • To collect events from all sources, select All from the Event Sources list.
    • To select a source from which to collect events, select (Specify Source) and type the source in the corresponding box. You can specify multiple sources by using commas to separate the sources.
  11. Do one of the following:
    • To collect events without filtering by event ID, leave the Event ID box blank.
    • To specify the inclusion and exclusion of event IDs, in the Event ID box, type single event IDs separated by commas, or specify a range (for example, 1-10). To exclude an event or range of events, prefix the event ID with a minus sign (for example, -5).

    You must define a range of event IDs before defining an exclusion from the range. For example, 1-6555, -1111.

  12. To search the details of the event, select the Search the Event's Details check box and type a text string to find in the Search for box, if required.
    • Optionally, specify a search option to filter your results by selecting any of the Match CaseMatch whole word, and Use regular expression check boxes.

  13. Click Save.

    If you chose to monitor all event levels or event sources, a warning message may appear informing you of the possible impact on storage costs, due to the large amount of data storage required. You must click Yes to continue adding the Windows Events monitor.

To set the alert configuration for a Windows Events monitor

The alert configuration for Windows Events monitors operate independently from the monitoring rules, which means that you can configure the alert rules to trigger when an event is collected from any Windows Events monitor. When you select the From any Monitor option, which is available for alerting on event levels, sources, and IDs, an alert is triggered when any Windows Events monitor collects an event that meets the alert rules. The From any Monitor option is selected by default, so if you do not want to alert on event levels, sources, and IDs not defined in the monitor, you must select a different option for each.

  1. Click the Alerts tab.
  2. Click Add Alert Configuration.
  3. Type a title for the alert.
  4. Optionally, type a description for the alert.
  5. In the Alert Rule area, click Add.
    The Windows Event Rule Filtering Configuration area displays the monitoring configuration selections for the Windows Events monitor. You can use this as a reference when setting up your alert rule configuration.
  6. To configure the event levels for alerting, do the following:
    • To alert on any event level from any Windows Events monitor, select (From any Monitor) from the list.
    • To alert on a specific event level, select Equal To from the list, and then select an event level from the corresponding list.
    • To alert when a specific event level is not matched, select Not Equal To from the list, and then select an event level from the corresponding list.
  7. To configure the event source for alerting, do the following:
    • If the monitoring configuration was set to "All" for event sources, then the alert is configured for all event sources, and the Event Source list is disabled.
    • To alert on any event source from any Windows Events monitor, select (From any Monitor) from the list.
    • To alert on a specific event source, select Equal To from the list, and then select an event source from the corresponding list.
    • To alert when a specific event source is not matched, select Not Equal To from the list, and then select an event source from the corresponding list.
  8. To configure the event IDs for alerting, do the following:
    • To alert on any event ID from any Windows Events monitor, select (From any Monitor) from the list.
    • To alert on a specific event ID, select Equals from the list, and then type the event ID in the corresponding box.
    • To alert when a specific event ID is not matched, select Not Equal from the list, and then type the event ID in the corresponding box.

    When alerting on event IDs, you can specify one event ID. You cannot specify exceptions or a range of event IDs.

  9. To alert on event details, select the Search the Event's Details check box. If the monitor was configured to search for details, the search string is provided in the Search for box. You can modify the search string if desired.
    • Optionally, specify a search option to filter your results by selecting any of the Match CaseMatch whole word, and Use regular expression check boxes.

  10. To specify that a number of Windows Events that must occur within a time period for the alert to trigger, select the Alert after number of occurrences within period check box. Type a number in the Number of occurrences box, and then select a time period from the list.

    When specifying the number of occurrences, you can enter any number between 1 and 999.

  11. Click Save.
To Edit a Legacy Windows Events Monitor

If you are working with a Windows Events monitor that was created pre-Barracuda RMM 2013 R1, the following steps are required to edit the monitor:

  1. In Service Center, click Service Delivery Policies > Monitoring.
  2. From the Site list, select the site where the device is located.
  3. From the Device list, select the device to which you want to add a monitor.
  4. Click Add Monitor.
  5. Select Windows Events from the list.
  6. Click Add  Monitor.
  7. In the Monitor tab, type a title for the monitor.
  8. Optionally, type a description for the monitor.
  9. Ensure either the Collect  Events option button is selected to turn monitoring on.
    If you want to turn monitoring off, select the Suppress Event Collection option button.
  10. Do one of the following:
    • To select an existing Windows Event log to monitor, select it from the Choose Log list.
    • To define a new Windows Event log to monitor, select (Specify Log) and type the name of the log in the corresponding box.
  11. Do one of the following:
    • To collect events from all sources, select All from the Choose Source list.
    • To select a source from which to collect events, select (Specify Source) and type the source in the corresponding box.
  12. Do one of the following:
    • To collect events with all event IDs, select All from the Choose Event ID list.
    • To select an event ID from which to collect events, select (Specify Event ID) and type the event ID in the corresponding box.
  13. Select a severity level for the event from the Severity list.
  14. To search the details of the event, select the Search  the  Event's Details check box and type a text string to find in the Search for What box, if required. To search the details of the event for Onsite Managers prior to Barracuda RMM 2011, select the Enable Legacy Search of Event's Details check box and type a text string to find in the Search  for  What box, if required.
  15. To configure an alert, see Setting Alert Actions.
  16. Click Save.