5 Replies Latest reply on Jan 3, 2013 7:26 AM by mhaydon


    VaLr Apprentice



      I need to check  the Windows NT Event Log in some servers, but im not sure how that alet works because i added the alert id (e. 6008) under "Match String" and checked System Log as Critical, but when the event is generated on the client the alert is not triggered. Im not sure how should i have to fill  the "Match String" field.


      I need to generate an alert with the next event:


      Product: Windows Operating System 
      Event ID: 6008 
      Source: EventLog 
      Component: System Event Log

      Type: Error
      Message: The previous system shutdown at %1 on %2 was unexpected.


      Note: we haver other performance and services alerts and they work fine...


      LDMS 88 SP3 (Server Manager, Security Suite)

        • 1. Re: How OS LOGS ALERT WORKS?

          I'm also trying to find out what part of the event is matched against the string ????

          • 2. Re: How OS LOGS ALERT WORKS?

            I started playing with OS LOG Alerting yesterday for the first time, and found that the "Match String" should be the description field of the alert. Still playing with this, but I managed to get alerts generated this way (only problem was it appeared to be trolling through the whole event log and alerting on every single entry found. Not sure if this is first off behaviour or just something else.

            Am continuing to test.

            • 3. Re: How OS LOGS ALERT WORKS?
              VaLr Apprentice

              I´ve already gotten the OS LOGS ALERT works successful:


              You should specify the event


              LDMS          Event Viewer

              Critical =      Error


              *If you dont write anything in "Match Substring" You will recive alerts from all events that you checked before.


              In Match Substring you should write the description of the event.


              Once i had the correct configuration, i had to remove the previous alert ruleset and redeploy.


              After that reboot the device and try again.


              It worked for me.

              • 4. Re: How OS LOGS ALERT WORKS?

                I've been looking at this functionality as well. I've found that you do not have to include the complete event description, just a string that unique for the event that you are trying to monitor.


                For example: if you wish to monitor the following "Critical" "Application" event with the following description and ntdll.ll is a unique value:


                Faulting application name: application.exe, version:, time stamp: 0x4adc9c0e

                Faulting module name: ntdll.dll, version: 6.1.7601.17514, time stamp: 0x4ce7b96e

                Exception code: 0xc0000005

                Fault offset: 0x00055f1b

                Faulting process id: 0xce0

                Faulting application start time: 0x01cc7e10c467ca5e

                Faulting application path: C:\Program Files\Application\Application.exe

                Faulting module path: C:\Windows\SYSTEM32\ntdll.dll

                Report Id: 132cbea9-ea04-11e0-8922-5424a94bb20f

                In the LANDesk OS Log Tab


                Select: Critical > Application

                Match Substring = ntdll.dll

                • 5. Re: How OS LOGS ALERT WORKS?

                  We are having a problem with the OS Log alert in the alerting field. For some reason when we make all of our changes and click ok, it will not set up the alert. It just stays on the alert set up page. Does anyone have any idea why this is happening. We are currently using LanDesk v 9.5.


                  Thanks in advance,