How can I monitor the Windows Event Log remotely such that I will be informed automatically when certain events occur?
There are plenty of active monitoring solutions, but they require human attention or constant polling. I need a passive solution that will simply generate a notification when a particular event occurs.
Windows Server has a built in SNMP trap generator for the Windows Event Log/Viewer, which can send traps on the occurrence of arbitrary events.
These traps will conform to the Microsoft private enterprise MIB branch in the following form:
1.3.6.1.4.1.311.1.13.X.n.n.n.n.n.n.n.n.n...
Each "n" is a decimal encoding of an ASCII character octet from the Event Log source name, and the X designates the number of characters to follow.
So, for example, a trap generated by source "Prefect" (as seen in Event Viewer) would appear as:
1.3.6.1.4.1.311.1.13.7.80.114.101.102.101.99.116
Windows 2000 Server does not support this fully, and will generate traps of a slightly different format, but the procedure is otherwise identical. All newer versions of Windows server support this properly
There are two built-in tools that you will use to set up trap generation.
evntwin: Create mapping of Event Log messages to SNMP traps evntcmd: Load mapping created by evntwin so that traps are generated
Run evntwin from a command prompt: this will spawn a GUI. Select "Custom" under Configuration type, and then "Edit." You will now see a list of all possible event sources. Under the source in which you are interested, select the particular event ID on which you wish to generate traps. Then, click "Add."
Now, you will see the actual OID of the trap, the specific ID, and an option to set a time-based threshold of event occurrences before the trap would be sent.
Repeat until you have created a mapping for each particular trap/event combination you care about. Then, click "Apply," highlight all of the mappings, and then "Export..." Save the file, and exit the application.
Now, again from the command line, run evntcmd, specifying the name of the file you just created:
evntcmd myeventfile.cnf
From this point forward, the events you specified will generate SNMP traps, which will be sent to all trap receiver destinations you have configured in your SNMP service settings. Process them as you would any normal SNMP trap.
You could use Event Sentry which has notifications:
Real-time Event Log monitoring is the core feature of EventSentry and allows you to monitor all standard (Application, Security, System, DNS Server, File Replication Service, Directory Service) and custom event logs. Event Log entries can be forwarded to a variety of immediate notifications (e.g. email, pager, SNMP etc.) or notifications designed for consolidation (e.g. database, files, etc.).
If you have time and are familiar with scripting, you could build a DIY solution, using existing code and tools like SysInternal's PsLogList, a script to monitor the event log from Microsoft's ScriptCenter, LogParser and a free SMTP commandline tool like Blat or bmail.
For 2008, Vista, XP and 2003 you could use the Windows remote event log subscription service. This is a native function of Vista and 2008. For 2003 and XPs you need specific service packs. Windows use RMI to collect event logs from remote systems much similar to syslogs but in a more secure fashion. You could also use group policy to make all servers forward events to a single 2K8,Vista or 2003 server. You can also setup notifications/alerts within event viewer.
If you enjoy scripting, you can write a WMI event sink that can receive notifications when new events are appended to the event log. I've run a VBScript version of such a script as a service, and upon receiving events it considers "interesting" (by way of a regexp match from a configuration file), it generates SMTP email. It's a fairly trivial script, but I can't post it since it "belongs" to the Customer I wrote it for.
Perhaps eventtriggers can help you (http://technet.microsoft.com/en-us/library/cc773308(WS.10).aspx). Look for eventquery.vbs as well.
