We found that event log monitoring is not working as expected on any asset across the board for all event log monitors, including the default ones included with Syncro.
We have a server with a policy applied to it. When I view the effective policy it shows the correct policy with the correct event log monitoring being applied to the asset from the policy. However we are not getting any alerts to the events that are being thrown in the system.
From effective policy for the asset:
From the event log policy:
From the 204 config page:
From the server’s event log itself:
Can you please help us to figure out why we are not receiving alerts from the event log monitoring policy? Is it possible that the single percentage sign is not necessary in the message field and we should leave blank instead? We used the example set by the default monitors.
One change I would make is to remove the Severity. This was a newer stat that was added some years ago, but doesn’t seem to be documented well. I don’t see anything else different from ours. % in Message is fine, it acts as a wildcard.
Thanks for the suggestion, we will try that.
Changing severity to blank did not work.
I’m going to try making a new event log policy and leaving it as stripped down as possible to see what happens.
Tried creating a new event log policy with just one event created, severity to blank, with and without % in the message. Still does not work. Will open up a ticket with support directly, if we find anything out we will post here.
I am curious if you were able to find a resolution to your problem? I’ve been trying to get an alert when my DHCP is full and have added in all the pre-built Event Log monitors for DHCP that Syncro has. None of them worked so I added my own custom ones as well. None of those fire off as well.
So I’m wondering if you found a resolution to your issue as my is similar.
Last time I tried to get Event monitoring working I found out that:
- Syncro only poles logs about every 15 min, it does not subscribe for real time.
- Syncro will not alert if there are too many events for the given type in that 15 min window. Other filtering seems to happen after pulling events by ID so does not help the event count issue. I did not figure out what the danger count was as the event I was watching was too high to matter.
This whole system needs to be revamped as it’s been broken for far too long, and especially because the documentation looks like it was written by someone who doesn’t even understand what event monitoring is.
Unfortunately nothing yet on getting event log monitoring working.
I’ve been too busy to open a ticket with support, but when I do, if they give me a resolution I’ll be sure to post the details here.
What’s weird is some of the prebuilt ones work, I tested the unexpected shutdown 6008 via event log and it worked with a VM. I tested a simple custom one, event log started 6005 and that one works reliably with the VM as well. But other prebuilt ones do not work like the server hardware monitoring or our custom raid controller monitoring events which fire to the system log.
It also seems like if you have an event log policy where multiple events are monitored, it will fire an alert with the 1st detected event, but will not update the alert with subsequent different event detections.
For example we had one server which threw a predictive drive failure event on 1/29/2022 and then threw a drive failure event a few days later. But the alert only showed the 1st event (predictive drive failure) and we did not get an updated alert or a 2nd alert to the new event showing drive actual failure. As we have a single event log policy for all raid related events.
Hopefully we won’t have to make 100 different single event log policies to catch multiple events.
Thank you for the reply. I did some further research and found other users that had similar problems using the built in. It appears that what is causing some events to not be detected is they have too many restrictions. So just in case someone hops upon this thread, put as little detail that pertains to your event as you can. For example, for DHCP Full I found setting the Event to 1342, the message to % and the severity to warning would at lease trigger my event. Before if I tried putting in the Source or a portion of the message it would not trigger. So keep as much blank or as generic as you can.
The difficulty is if your Event ID is tied to multiple events. Then I’d assume you would need the Message portion working which may have been what was breaking it for me.
In terms of firing for only the first event - that does appear to be true which in my case is what I want. What I do notice is in the actual Alert I can see the Alert creation date as well as an Updated date so I’m assuming Updated may be another recurrence of the same event? I actually prefer to be alerted a single time for this particular event rather than each time it appears in the event log. So that works out for me. Of course, once I clear the alert I would want it to show up when it hits again so I’m hoping that is true.