**Ken Duncan |**Sr. Systems Engineer
DMSi Software| 402.330.6620 (e) 409

kduncan@dmsi.com |
dmsi.com

–
We deliver solutions that help our customers keep their promises and achieve outstanding results.

Ken Duncan kduncan@dmsi.com schrieb am Fr., 7. Apr. 2017 um 16:01 Uhr:

I want to capture Event ID 24 and Event ID 25 in the “Microsoft-Windows-TerminalServices-LocalSessionManager/Operational” log. I have tried to add this to the check_mk.ini
file logwatch section like I do for other logs. I seem to only be able to pull logs from the “Windows Logs” section but cannot pull anything from the “Application and Services Logs” section. Has anyone had any luck capturing these types of logs? I know
that they are “Information” logs, but I want to pull them in and count them. These logs represent a terminal server disconnection. I want to know if a server suddenly has a lot of these errors to determine if users are being disconnected.

Thanks,

**Ken Duncan |**Sr. Systems Engineer
DMSi Software| 402.330.6620 (e) 409

kduncan@dmsi.com |
dmsi.com

–
We deliver solutions that help our customers keep their promises and achieve outstanding results.

---

checkmk-en mailing list

checkmk-en@lists.mathias-kettner.de

http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en

Hi Ken,

the monitoring for these internal Windows log files can be achieved with the new 1.4.0 agent. There it is possible to switch the log access to vista api.

The configuration inside check_mk.ini should look like the following lines

[logwatch]

activate modern eventlog api introduced in vista

pro: supports new logs introduced with vista

contra: only on vista (server 2008) and newer, less well tested, maybe slower

Note: setting this does not change the default set of monitored logs,

see logname for that

vista_api = yes

Activate a specific log. Unlike logfile this can be used to activate

monitoring of a new-style logfile (see vista_api) but it doesn’t

support wildcards (yet).

To find the correct name for a log, right-click on the log in

event-viewer → Properties and use the name from “Full Name”

logname Microsoft-Windows-TerminalServices-LocalSessionManager/Operational = warn

All other log files can be done the same way as before.

Normally don’t use an agent with older server versions. For the windows agent i can say that the 1.4.0b5 should also work correctly with an installed 1.2.8p20 on the server.

Don’t use newer plugin versions as there are some incompatible changes.

Save option is to wait until start of may this year. I think that at the Check_MK conference or the week before you will see the release of the final 1.4.0 version.

Best regards

Andreas

Ken Duncan kduncan@dmsi.com schrieb am Fr., 7. Apr. 2017 um 16:01 Uhr:

I want to capture Event ID 24 and Event ID 25 in the “Microsoft-Windows-TerminalServices-LocalSessionManager/Operational” log. I have tried to add this to
the check_mk.ini file logwatch section like I do for other logs. I seem to only be able to pull logs from the “Windows Logs” section but cannot pull anything from the “Application and Services Logs” section. Has anyone had any luck capturing these types
of logs? I know that they are “Information” logs, but I want to pull them in and count them. These logs represent a terminal server disconnection. I want to know if a server suddenly has a lot of these errors to determine if users are being disconnected.

Thanks,

**Ken Duncan |**Sr. Systems Engineer
DMSi Software| 402.330.6620 (e) 409
kduncan@dmsi.com |
dmsi.com

–
We deliver solutions that help our customers keep their promises and achieve outstanding results.

---

checkmk-en mailing list
checkmk-en@lists.mathias-kettner.de
http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en

Thanks,

**Ken Duncan |**Sr. Systems Engineer

402.330.6620 (e) 409 |
kduncan@dmsi.com

From: checkmk-en [mailto:checkmk-en-bounces@lists.mathias-kettner.de]
On Behalf Of Ken Duncan
Sent: Tuesday, April 11, 2017 9:46 AM
To: Andreas Döhler andreas.doehler@gmail.com; checkmk-en@lists.mathias-kettner.de
Subject: Re: [Check_mk (english)] How to monitor Event Logs - Applications and Services Logs

Perfect! Thank you!

Thanks,

**Ken Duncan |**Sr. Systems Engineer

402.330.6620 (e) 409 |
kduncan@dmsi.com

From: Andreas Döhler [mailto:andreas.doehler@gmail.com]
Sent: Monday, April 10, 2017 9:51 AM
To: Ken Duncan kduncan@dmsi.com;
checkmk-en@lists.mathias-kettner.de
Subject: Re: [Check_mk (english)] How to monitor Event Logs - Applications and Services Logs

Hi Ken,

the monitoring for these internal Windows log files can be achieved with the new 1.4.0 agent. There it is possible to switch the log access to vista api.

The configuration inside check_mk.ini should look like the following lines

[logwatch]

activate modern eventlog api introduced in vista

pro: supports new logs introduced with vista

contra: only on vista (server 2008) and newer, less well tested, maybe slower

Note: setting this does not change the default set of monitored logs,

see logname for that

vista_api = yes

Activate a specific log. Unlike logfile this can be used to activate

monitoring of a new-style logfile (see vista_api) but it doesn’t

support wildcards (yet).

To find the correct name for a log, right-click on the log in

event-viewer → Properties and use the name from “Full Name”

logname Microsoft-Windows-TerminalServices-LocalSessionManager/Operational = warn

All other log files can be done the same way as before.

Normally don’t use an agent with older server versions. For the windows agent i can say that the 1.4.0b5 should also work correctly with an installed 1.2.8p20 on the server.

Don’t use newer plugin versions as there are some incompatible changes.

Save option is to wait until start of may this year. I think that at the Check_MK conference or the week before you will see the release of the final 1.4.0 version.

Best regards

Andreas

Ken Duncan kduncan@dmsi.com schrieb am Fr., 7. Apr. 2017 um 16:01 Uhr:

I want to capture Event ID 24 and Event ID 25 in the “Microsoft-Windows-TerminalServices-LocalSessionManager/Operational” log. I have tried to add this to
the check_mk.ini file logwatch section like I do for other logs. I seem to only be able to pull logs from the “Windows Logs” section but cannot pull anything from the “Application and Services Logs” section. Has anyone had any luck capturing these types
of logs? I know that they are “Information” logs, but I want to pull them in and count them. These logs represent a terminal server disconnection. I want to know if a server suddenly has a lot of these errors to determine if users are being disconnected.

Thanks,

**Ken Duncan |**Sr. Systems Engineer
DMSi Software| 402.330.6620 (e) 409
kduncan@dmsi.com |
dmsi.com

–
We deliver solutions that help our customers keep their promises and achieve outstanding results.

---

checkmk-en mailing list
checkmk-en@lists.mathias-kettner.de
http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en

Ken Duncan kduncan@dmsi.com schrieb am Di., 11. Apr. 2017 um 17:21 Uhr:

Is it possible to set this to pull Information logs and then use regex to filter out logs?

Thanks,

**Ken Duncan |**Sr. Systems Engineer

402.330.6620 (e) 409 |
kduncan@dmsi.com

From: checkmk-en [mailto:checkmk-en-bounces@lists.mathias-kettner.de]
On Behalf Of Ken Duncan
Sent: Tuesday, April 11, 2017 9:46 AM
To: Andreas Döhler andreas.doehler@gmail.com; checkmk-en@lists.mathias-kettner.de

Subject: Re: [Check_mk (english)] How to monitor Event Logs - Applications and Services Logs

Perfect! Thank you!

Thanks,

**Ken Duncan |**Sr. Systems Engineer

402.330.6620 (e) 409 |
kduncan@dmsi.com

From: Andreas Döhler [mailto:andreas.doehler@gmail.com]
Sent: Monday, April 10, 2017 9:51 AM
To: Ken Duncan kduncan@dmsi.com;
checkmk-en@lists.mathias-kettner.de
Subject: Re: [Check_mk (english)] How to monitor Event Logs - Applications and Services Logs

Hi Ken,

the monitoring for these internal Windows log files can be achieved with the new 1.4.0 agent. There it is possible to switch the log access to vista api.

The configuration inside check_mk.ini should look like the following lines

[logwatch]

activate modern eventlog api introduced in vista

pro: supports new logs introduced with vista

contra: only on vista (server 2008) and newer, less well tested, maybe slower

Note: setting this does not change the default set of monitored logs,

see logname for that

vista_api = yes

Activate a specific log. Unlike logfile this can be used to activate

monitoring of a new-style logfile (see vista_api) but it doesn’t

support wildcards (yet).

To find the correct name for a log, right-click on the log in

event-viewer → Properties and use the name from “Full Name”

logname Microsoft-Windows-TerminalServices-LocalSessionManager/Operational = warn

All other log files can be done the same way as before.

Normally don’t use an agent with older server versions. For the windows agent i can say that the 1.4.0b5 should also work correctly with an installed 1.2.8p20 on the server.

Don’t use newer plugin versions as there are some incompatible changes.

Save option is to wait until start of may this year. I think that at the Check_MK conference or the week before you will see the release of the final 1.4.0 version.

Best regards

Andreas

Ken Duncan kduncan@dmsi.com schrieb am Fr., 7. Apr. 2017 um 16:01 Uhr:

I want to capture Event ID 24 and Event ID 25 in the “Microsoft-Windows-TerminalServices-LocalSessionManager/Operational” log. I have tried to add this to
the check_mk.ini file logwatch section like I do for other logs. I seem to only be able to pull logs from the “Windows Logs” section but cannot pull anything from the “Application and Services Logs” section. Has anyone had any luck capturing these types
of logs? I know that they are “Information” logs, but I want to pull them in and count them. These logs represent a terminal server disconnection. I want to know if a server suddenly has a lot of these errors to determine if users are being disconnected.

Thanks,

**Ken Duncan |**Sr. Systems Engineer
DMSi Software| 402.330.6620 (e) 409
kduncan@dmsi.com |
dmsi.com

–
We deliver solutions that help our customers keep their promises and achieve outstanding results.

---

checkmk-en mailing list
checkmk-en@lists.mathias-kettner.de
http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en

I don’t understand what you want to achieve? For windows logs it is only possible to filter with severity on the client side.

On the monitoring side you can then filter with regex the entries.

Best regards

Andreas

Ken Duncan kduncan@dmsi.com schrieb am Di., 11. Apr. 2017 um 17:21 Uhr:

Is it possible to set this to pull Information logs and then use regex to filter out logs?

Thanks,

**Ken Duncan |**Sr. Systems Engineer

402.330.6620 (e) 409 |
kduncan@dmsi.com

From: checkmk-en [mailto:checkmk-en-bounces@lists.mathias-kettner.de]
On Behalf Of Ken Duncan
Sent: Tuesday, April 11, 2017 9:46 AM
To: Andreas Döhler andreas.doehler@gmail.com;
checkmk-en@lists.mathias-kettner.de

Subject: Re: [Check_mk (english)] How to monitor Event Logs - Applications and Services Logs

Perfect! Thank you!

Thanks,

**Ken Duncan |**Sr. Systems Engineer

402.330.6620 (e) 409 |
kduncan@dmsi.com

From: Andreas Döhler [mailto:andreas.doehler@gmail.com]
Sent: Monday, April 10, 2017 9:51 AM
To: Ken Duncan kduncan@dmsi.com;
checkmk-en@lists.mathias-kettner.de
Subject: Re: [Check_mk (english)] How to monitor Event Logs - Applications and Services Logs

Hi Ken,

the monitoring for these internal Windows log files can be achieved with the new 1.4.0 agent. There it is possible to switch the log access to vista api.

The configuration inside check_mk.ini should look like the following lines

[logwatch]

activate modern eventlog api introduced in vista

pro: supports new logs introduced with vista

contra: only on vista (server 2008) and newer, less well tested, maybe slower

Note: setting this does not change the default set of monitored logs,

see logname for that

vista_api = yes

Activate a specific log. Unlike logfile this can be used to activate

monitoring of a new-style logfile (see vista_api) but it doesn’t

support wildcards (yet).

To find the correct name for a log, right-click on the log in

event-viewer → Properties and use the name from “Full Name”

logname Microsoft-Windows-TerminalServices-LocalSessionManager/Operational = warn

All other log files can be done the same way as before.

Normally don’t use an agent with older server versions. For the windows agent i can say that the 1.4.0b5 should also work correctly with an installed 1.2.8p20 on the server.

Don’t use newer plugin versions as there are some incompatible changes.

Save option is to wait until start of may this year. I think that at the Check_MK conference or the week before you will see the release of the final 1.4.0 version.

Best regards

Andreas

Ken Duncan kduncan@dmsi.com schrieb am Fr., 7. Apr. 2017 um 16:01 Uhr:

I want to capture Event ID 24 and Event ID 25 in the “Microsoft-Windows-TerminalServices-LocalSessionManager/Operational” log. I have
tried to add this to the check_mk.ini file logwatch section like I do for other logs. I seem to only be able to pull logs from the “Windows Logs” section but cannot pull anything from the “Application and Services Logs” section. Has anyone had any luck capturing
these types of logs? I know that they are “Information” logs, but I want to pull them in and count them. These logs represent a terminal server disconnection. I want to know if a server suddenly has a lot of these errors to determine if users are being disconnected.

Thanks,

**Ken Duncan |**Sr. Systems Engineer
DMSi Software| 402.330.6620 (e) 409
kduncan@dmsi.com |
dmsi.com

–
We deliver solutions that help our customers keep their promises and achieve outstanding results.

---

checkmk-en mailing list
checkmk-en@lists.mathias-kettner.de
http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en