TSMS can monitor all the Event Logs that have been created on your systems. It easily detects events such as account lockouts, failed attempts to access secure files, log on failures due to bad passwords, etc. You can also add custom rules to monitor events generated by any application.
Filters can be made from the Super or Normal User Menu. If you make a filter from the Super User Menu it applies to all TSMS Agents, from the Normal User Menu it applies only to the TSMS Agent you are working on.
In Normal User Menu, only the Event Logs that have effect on this system are visible. That means only where Agent is all (*) or where Agent is <system you are working on>. Events with agent value = *, can only be viewed but not changed.
Specify the following general event Log settings here:
- Cluster Monitoring: checking cluster monitoring, a windows machine that is a cluster member will also report the events of its cluster members. This means that a single event can be reported multiple times if you have installed a TSMS Agent on all the cluster members. Once by the Agent on which the event occurred and also once by all the cluster members that also have a TSMS Agent
- Check Identical string in message: Configure that TSMS not only should be judging if a message is equal but also look at the message string. For example, when you get two Security Audit Failure messages one with the message “Peter could not login” and one with the message “David could not login”, TSMS will this consider this to be equal messages, but with different strings in it. If you have checked the “Check identical string in message” box, you'll get two notifications, else you only receive one if it is send within the minutes you configured at "Suppress equal messages x minutes". TSMS considers an event log message as equal if the Event log, Source, Type and Event id are all the same.
- Suppress equal messages x minute: It often happens that an application reports the same event several times in a short time frame. For example, an application tries to set up a network connection to a server which is unreachable. Every time it fails, it will write an error record in the event log. To avoid that every failure is reported to you, TSMS can suppress equal messages during a number of minutes. TSMS will only report the first time and after the number of minutes have past and the message has occurred more than once, it will send a message like “This event has occurred x times in the last y minutes = message_string”.
If changed, click on Save Event log
Take further actions concerning:
- Forwards: fill in which event log messages you would like to receive immediately and who should be notified. For example an unexpected reboot, failed backup, etc.
- Filters: fill in which messages you do not want to receive anymore. For example all information records of the audit log, etc.
- Missing: configure notification when certain events have not been occurred during a certain period. For example get warned when the windows updates are not running during 1 week.
- All Notifications: how the events should be notified, when they are not forwarded or filtered. For example all DNS messages mail to the managers, all others to a special event log mail user.