EventSentryLight New Filter Fails Test

edited February 2015 in EventSentry [General]
I am an EventSentry newbie but I think I can follow instructions OK.
I installed it primarily to send me an email alert when the nightly Windows Server Backup job is successful.

I set up the job but failed to receive email alerts on it even though the preconfigured ones came through in droves.

Assuming I had missed something I deleted the filter and followed the 7 steps at http://www.eventsentry.com/support/tutorial/topic/include-exclude-filters/ but when I completed it and went to test the filter from the EventSentry log window I get no matches and the Reason given is "Log".

I then checked one of the preconfigured events which I received an email alert about this morning and performing a Test Against Filter Rules on that precise error gives no matches either.

This makes it difficult to troubleshoot why I am not receiving email alerts on my filter - is there an issue with the testing tool or my operation of it? (Find entry - right click - Test against... - Verbose - Leave rest as populated - Test)

Can you also advise what "Log" means as a reason for a non-match?

Thanks

Comments

  • When the filter rules test lists "Log", then it refers to the event log not matching (Log = Event Log). I will see that we rename this to "Event Log" so it's more self explanatory.

    How did you configure the filter to monitor the Windows Backup event log? On the filter you created you will need to click the "Custom Event Logs" tab and locate a drop-down which lists "Microsoft-Windows-Backup". If it doesn't exist already, you will need to enter this in an empty drop-down and activate the check box next to it. Does this help?

    While testing this on my end I did not notice that the filter rules test doesn't appear to detect custom event log settings, even when they are setup correctly. We'll look into this tomorrow and I will let you know if this is a bug that needs to be fixed.

    Are you using any remote agents as well, or is EventSentry only installed on one host?
  • Hi Ingmar,
    Thank you for your response.

    I created the filter using the "Forward this event to an action" button from within the EventSentry Event Log Details window as described in your tutorial and yes the custom event log entry is there and ticked.

    I have been trying for a few days to get this working and have rechecked the settings m any times and recreated the filter but have not received emails from it. This is why I thought I should start with the basic and run the test to see if it was even being picked up.

    I saw in the forums that a number of people had to restart the EventSentry service and I tried that as well.

    I did get ONE notification out of the blue but the subject was [RESCAN] ES [2] Microsoft-Windows-Backup::4 but I'm not sure why.

    It is a simple installation on a local host however I have noticed that sometimes when I try and delete a filter the software crashes. I restart it and then I can delete it - does this indicate anything specific?

  • Sorry you're having so many issues with a seemingly simple goal.

    One question I forgot to ask is which version of EventSentry you are using. Are you using the full or the light edition? Also, are you on the latest build 3.1.?

    If you got an alert with the subject Microsoft-Windows-Backup::4 then that would indicate that EventSentry did read the backup event log, at least at some point. Did you configure the custom event log tab as suggested before?

    The management console should of course not crash when you delete a filter - is that something which happens frequently? If it does, then please send us an email (http://www.eventsentry.com/support/request) with instructions on how to reproduce it.

    What you are trying to accomplish is quite straight-forward and should work without issues, we'll set this up on a test machine and see if we can reproduce the issues you are experiencing.

    Please let us know if you notice anything else, or if you get it working. Thanks!
  • I am using Light 3.1.1 Build 14 on Windows Server 2012 R2 with.

    As I said: "yes the custom event log entry is there and ticked".

    Unfortunately the email was tagged as being from a previous filter that has since been deleted.

    Since the test function is not working for me i will need to wait until the morning to see if I get any emails from the current iteration.
  • I received no email this morning even though the backup finished successfully and my target event occurred at 0659.

    For troubleshooting is there any activity log in EventSentry that will tell me if a filter was triggered or if it sent an email?

    I have a convoluted and unreliable system currently in place where there is a scheduled task linked to this event that runs a batch file that uses SQLCMD to create an entry in a SQL database (unless the SQL server is too busy) which is then picked up by a third party email broadcaster [and thus it becomes very clear why I am looking at your product :) ]. Do you think that the scheduled task could be interfering with EventSentry?
  • The scheduled task really shouldn't be interfering with EventSentry, it should just pick up the events based on the rules you created.

    I actually setup a test system today and created a filter where I just checked all severities as well as the Windows Backup event log. I than ran a backup job (unsuccessfully) and promptly notified via email.

    Have you tried restarting the EventSentry agent service to rule out any issues with the agent not working with the latest configuration you see in the management console?

    For faster testing you could try to just schedule a small backup of some files and run that immediately, it should also trigger events in the Windows Backup event log.
  • I wanted to give you a brief update on the issues with the Filter Rules Test feature not matching the event log in the EventSentry Management Console as well.

    This is now confirmed to be a bug which affects filters utilizing custom event logs; for those the filter rules test will always show a non-match, even if the filter should match. Important to note is that the agent is not affected by this - the underlying filter rules in the agent do work correctly.

    This will be resolved in an upcoming patch which we plan on releasing this week, it will be build 3.1.1.25 or later.
  • After restarting the EventSentry service as suggested I ran a small test backup job which resulted in reception of an email thank you.

    Does this mean that any time I make changes in the Management Console that not only do I have to Save them but I will need to restart the service?

    I appreciate you fixing the function - it's difficult to diagnose something when the test equipment is faulty :-)
  • I agree, sorry for the issue with the test utility - it does make it difficult. It will be fixed very soon.

    You shouldn't have to restart the service after you save the configuration, but on occasion a configuration update may not be applied, e.g. when the agent is busy with an extended operation. We're also working on resolving this. The easiest way to verify that configuration is up to date, is to look for an EventSentry event in the application event log with the event id of 1035. It is usually logged about 30 seconds after you save the configuration if it was picked up successfully.

    I hope this helps!
  • Having instigated a policy of restarting the service after every console change it appears to be working reliably for me.

    Thank you for your kind assistance.
  • No problem at all.

    We'll take a closer look at this, you really shouldn't have to restart the agent every time you make a change.

    If this happens consistently (you save the config and no 1035 event is generated) then please contact our support department. Thank you!
Sign In or Register to comment.