{"id":442,"date":"2009-02-24T19:06:16","date_gmt":"2009-02-24T17:06:16","guid":{"rendered":"http:\/\/contoso.se\/blog\/?p=442"},"modified":"2009-07-12T19:42:27","modified_gmt":"2009-07-12T17:42:27","slug":"collecting-events","status":"publish","type":"post","link":"http:\/\/contoso.se\/blog\/?p=442","title":{"rendered":"Collecting Events"},"content":{"rendered":"<p>I have received a number of questions lately regarding event collection. In this post I will show you how you can collect events and review them both in reports and in the console.<\/p>\n<p>Start by creating a new rule, authoring\/rules\/create a rule\/collection rule\/NT event log. The collection rule will only collect, not generate any alerts. In my example I use Windows Server 2008 Computer as target. I will create the rule disable as default. Then override and enable it for a group including a couple of windows server 2008 computer objects.<br \/>\nWhen you have created the new rule you can create a new event view in the monitoring workspace. Remember to create the new view in the same MP as the collection rule is stored.<\/p>\n<p>The next step is to create a report. You can use the generic Custom Event report to create a linked report showing all the events. Run the Custom Event report and select a couple of windows server 2008 computers as objects, filter the report for example in my example Event ID equals 666. Note that you have to check its checkbox for every report field you want to include. If you check any checkboxes you will get a empty report.<\/p>\n<p>If you don\u00e2\u20ac\u2122t like the default event report you can author a new in Visual Studio. You can read my guide about that <a href=\"http:\/\/contoso.se\/blog\/?p=398\">here<\/a> and use the following query when building the data set in Visual Studio<\/p>\n<blockquote><p>SELECT<br \/>\nvEvent.DateTime,<br \/>\nvEventPublisher.EventPublisherName as &#8216;EventSource&#8217;,<br \/>\nvEventLoggingComputer.ComputerName as &#8216;Computer&#8217;,<br \/>\nvEventLevel.EventLevelTitle as &#8216;Type&#8217;,<br \/>\nvEvent.EventDisplayNumber as &#8216;EventID&#8217;,<br \/>\nvEventChannel.EventChannelTitle,<br \/>\nvEventUserName.UserName,<br \/>\nvEventDetail.RenderedDescription as &#8216;EventDescription&#8217;<br \/>\nFROM<br \/>\nEvent.vEvent LEFT OUTER JOIN<br \/>\nvEventUserName ON vEvent.UserNameRowId =<br \/>\nvEventUserName.EventUserNameRowId LEFT OUTER JOIN<br \/>\nvEventCategory ON vEvent.EventCategoryRowId =<br \/>\nvEventCategory.EventCategoryRowId LEFT OUTER JOIN<br \/>\nvEventPublisher ON vEvent.EventPublisherRowId =<br \/>\nvEventPublisher.EventPublisherRowId LEFT OUTER JOIN<br \/>\nvEventLoggingComputer ON vEvent.LoggingComputerRowId =<br \/>\nvEventLoggingComputer.EventLoggingComputerRowId LEFT OUTER JOIN<br \/>\nvEventLevel ON vEvent.EventLevelId = vEventLevel.EventLevelId LEFT OUTER JOIN<br \/>\nvEventChannel ON vEvent.EventChannelRowId =<br \/>\nvEventChannel.EventChannelRowId LEFT OUTER JOIN<br \/>\nEvent.vEventDetail ON vEvent.EventOriginId = vEventDetail.EventOriginId<br \/>\nWHERE vEventLevel.EventLevelTitle = &#8216;Error&#8217;<br \/>\nORDER BY vEvent.DateTime, vEventLoggingComputer.ComputerName<\/p><\/blockquote>\n<p>To generate test events you can use eventcreate, which is built-in into Windows 2003 and 2008. For example run &#8220;Eventcreate \/L Application \/D \u00e2\u20ac\u0153test\u00e2\u20ac\u009d \/T ERROR \/ID 666&#8221; .To generate an event in the application log with event ID 666 and \u00e2\u20ac\u0153test\u00e2\u20ac\u009d as event description.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I have received a number of questions lately regarding event collection. In this post I will show you how you can collect events and review them both in reports and in the console. Start by creating a new rule, authoring\/rules\/create a rule\/collection rule\/NT event log. The collection rule will only collect, not generate any alerts. &hellip; <a href=\"http:\/\/contoso.se\/blog\/?p=442\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[19],"tags":[],"class_list":["post-442","post","type-post","status-publish","format-standard","hentry","category-operations-manager-2007"],"_links":{"self":[{"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=\/wp\/v2\/posts\/442","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=442"}],"version-history":[{"count":7,"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=\/wp\/v2\/posts\/442\/revisions"}],"predecessor-version":[{"id":828,"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=\/wp\/v2\/posts\/442\/revisions\/828"}],"wp:attachment":[{"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=442"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=442"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=442"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}