Using the Windows Event Log Monitor

To configure an instance of the SNMP Trap Passive Monitor:

  1. Go to the Passive Monitor Library:
    • From the web interface, click GO. The GO menu appears.
    • If the WhatsUp section is not visible, click WhatsUp. The WhatsUp section of the GO menu appears.
    • Select Configure > Passive Monitor Library.

      - or -

      From the main menu of the console, select Configure > Passive Monitor Library.

  2. In the Passive Monitor Library, do one of the following:
    • Click New. The Select Passive Monitor Type dialog appears.
    • Select Windows Event Log from the list, then click OK. The WinEventLog Instance dialog appears.

      - or -

    • Select an existing Windows Event Log monitor from the list, then click Edit. The monitor properties dialog appears.
  3. Enter or select the appropriate information in the following fields.
    • Name. The number of the monitor as it appears in the Passive Monitor Library.
    • Description. The description as it appears in the Passive Monitor Library.
    • Condition. Enter one or more conditions for use in this Windows Event Log instance. Only log entries that match the expressions listed here are converted to events. Conditions are processed serially from top to bottom. As conditions are evaluated, results are applied to the next condition until all conditions have been evaluated. For complex sets of conditions that include both ANDs and ORs, this serial logic may produce results different from what is expected. As a best practice, we recommend keeping conditions simple by opting for multiple passive monitors over complex sets of conditions. When complex conditions are unavoidable, we recommend grouping all OR conditions together at the beginning of the condition set, followed by the AND conditions.

    Tip: Select a condition and click Edit condition to change its configuration, or click Clear condition to remove it from the list.

    • Match description on. Click Add to view the Expression Editor where you can create an expression, test it, and compare it to potential payloads. After creating an expression, click OK to insert that string into the list under Match on.

      Important: In a Windows Event Log Monitor, a payload Match Description On expression must match a value contained within the Windows Event Log message (this message is found in the WhatsUp Gold WinEvent Payload Viewer by scrolling through the Detail contents until you see "Message="). You must create a condition for any piece of information outside of this message that you would like WhatsUp Gold to search for using the Windows Event Log Monitor; for example, the Computer, Event ID, or Event Type.

    Note: If you have multiple payload Match Description On expressions, they are linked by OR logic, not AND logic. For example, if you have two expressions, one set to "AB" and the other to "BA", it will match against any log entry that includes either of the two strings: "AB" or "BA" or "ABBA". For more information, see the Regular Expression syntax topic.