Event File Collector

Event File Collector Monitor Items collect Event Log Files (.EVT and .EVTX) from the Agents being monitored.

The Event File Collector operates at a scheduled interval (the default is every 24 hours). At each interval, the Event File Collector will attempt to copy and store the specified Event Log Files from the assigned Agents. The files will be stored by default under the ELM Enterprise Manager installation folder in a sub-directory named EVT Files. This location can be modified on the Behavior tab of the Event File Collector properties.

Displays the Available Logs and Selected Logs the Collector is configured to copy and store. By default, the list of Selected Logs contains an asterisk, so the Monitor will collect all log files possible. Specific logs can replace the asterisk to collect a subset of log files. Use the Add and Remove buttons to move selected logs between the Available Logs and Selected Logs lists.

To list logs from another system, click the Choose log source button and enter or select a computer name. If you know the name of a log, you can enter it in the Enter a log name field, and click the Add button.

All events may be cleared from the selected logs after collection by checking the box labeled Clear Logs after collection.

Note
When clearing the event logs, if an Agent is also running any Event Collectors or Event Alarms, then the Event File Collector passes any un-read events to them for processing. This may result in events being collected outside of the configured Event Collector or Event Alarm Scheduled Interval.

On Windows 2008, Windows 7, and Vista systems, only logs under the registry key
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog
can be collected.

Windows 2008, Windows 7, and Vista event logs can be collected, but if they are stored on an older Windows system, they cannot be read by the older Windows Event Viewer.

•	The Destination Folder controls where to save collected Log files. This can be any existing folder local to the ELM Server.

•

The setting Minimum Free Space Allowed For Evt File Storage protects free space on the drive hosting the Destination Folder. If the free space on the drive drops below this value, then the ELM Server will stop saving .evt files it receives from an Agent. When this happens, ELM will generate the error event 5595, with a message indicating it's unable to store the event file.

•	Log Files may be compressed for storage by checking the Compress Evt Files checkbox.

A cryptographic hash may be created for collected log files to help verify the log file remains unchanged. Note that both the collected log file and the hash file should be secured from tampering.

ELM includes a tool to help verify hashed files. Right-click on the ELM Server and select Tools | Verify Evt Files to launch the tool.

•	Enter a file name in the Evt or Gz File field to select a collected event log. You can also click the ellipsis button to browse to a file.

•	Enter an md5 file name in the .Md5 File field to select a companion hash file. You can also click the ellipsis button to browse to the file. Click the Verify button to test the file.

The hash value for a collected file can also be calculated with the Microsoft File Checksum Integrity Verifier tool. Please see Microsoft Knowledge Base article 841290 for more details.

•	Copy File Success (Informational) 5575 - The selected Event Log file has been successfully copied.

•	Copy File Error (Error) 5576 - The selected Event Log file has NOT been successfully copied.

•	Store File Success (Informational) 5577 - The selected Event Log file has been successfully stored.

•	Store File Error (Error) 5578 - The selected Event Log file has NOT been successfully stored.

Additionally, the Event File Collector may create one or more of the following events:

•	Agent Save File Error (Error) 5316 - The ELM Agent's install directory does not have enough free space. No event log files will be collected until this much space is available.

•	Store File Warning (Warning) 5594 - A cryptographic hash of the selected Event Log file has NOT been successfully created.

•	Store File Error (Error) 5595 - The selected Event Log file has NOT been successfully stored because of low disk space.

Displays the Agent Categories to which the Monitor is assigned. Click to select or deselect Agent Categories. Right click to create or edit Agent Categories.

Test any Monitor Item against any Agent capable of running the Item using the drop-down and Test button on this dialog box. Testing a Monitor Item prior to putting it into production validates that the monitor item is configured properly. To test a monitor item:

If the test was successful, you will receive a pop-up indicating this and the option to see detailed results of the test. If the test failed, detailed results of the test will automatically open in Notepad.

Displays the Scheduled Interval and Scheduled Hours settings which control the frequency for the Monitor Item.

Specify the interval at which the monitoring, polling or action is to occur. Depending on the Monitor Item type, Items can be scheduled in interval increments of Seconds, Minutes, Hours and Days. The Scheduled Interval is relative to the top of the hour or top of the minute. For example, if a Scheduled Interval is configured for 10 minutes, the Monitor Item will execute at hh:10:00, hh:20:00, hh:30:00, hh:40:00, hh:50:00, hh:00:00, etc. If a Scheduled Interval is configured for 15 seconds, the Monitor Item will execute at hh:00:15, hh:00:30, hh:00:45, hh:00:00, hh:01:15, etc.

Select the days and/or hours this item is active. By default, the schedule is set to ON for all hours and all days. Mouse clicks toggle squares between ON and OFF. Clicking on an individual square will toggle the active schedule for that hour. Clicking on an hour at the top of the grid, or on a day of the week at the left of the grid will toggle the corresponding column or row. Keyboard equivalents are the arrow keys and the space bar.

This read-only tab displays the properties of the selected object and the values for those properties.