Back to your phpLogCon instanceHi
We recently have installed MWA 2.1.
We have configured for e Log Event 528 in the Security Log. Action is
start a program and write a log Entry.
When we start the service, the MWA monitors all records of the Security Log. But we would like him to start only with the new entries.
Is there any possibilty to configure it, or have I to delete the log first ?
Kind regards
MonitorWare Knowledge Base
Your first source for knowledge
MonitorWare first start - Log issues
Moderator: alorbach
15 posts • Page 1 of 1
by wrehman on Mon Jun 21, 2004 9:21 am
Hello,
Yes, there is a simple way of doing it. Open Event Log Monitor Service. Click on Advanced in front of "Enable Security Event Log" check box and set the Last Record Value to the total number of entries in your security event log. Now it will start after that last entry and will not look for the prevoius entries. I hope this will help you out. If you have any other concrns, please dont hesitate to contact us again
best regards
Wajih
Adiscon
Yes, there is a simple way of doing it. Open Event Log Monitor Service. Click on Advanced in front of "Enable Security Event Log" check box and set the Last Record Value to the total number of entries in your security event log. Now it will start after that last entry and will not look for the prevoius entries. I hope this will help you out. If you have any other concrns, please dont hesitate to contact us again
best regards
Wajih
Adiscon
-
wrehman - Adiscon Support
- Posts: 75
- Joined: Tue Mar 18, 2003 9:30 am
by Bertolino on Mon Jun 21, 2004 12:18 pm
Hi
Is there no other way, like "do not monitor prior to actual date/time" or "log only events after starting the service" or something else.
I think it is not a solution, when I have to look on 250 servers, how much records the eventlog has for the momnet.
Also we cannot delete the security eventlog in this environment.
Any idea ?
Kind regards
Is there no other way, like "do not monitor prior to actual date/time" or "log only events after starting the service" or something else.
I think it is not a solution, when I have to look on 250 servers, how much records the eventlog has for the momnet.
Also we cannot delete the security eventlog in this environment.
Any idea ?
Kind regards
- Bertolino
- Advanced
- Posts: 36
- Joined: Mon Jun 21, 2004 8:59 am
- Location: Switzerland
by rgerhards on Mon Jun 21, 2004 1:14 pm
Hello,
before I can provide more feedback, I have a vital question: is this just a one time situation, that is
a) you simply do not want to receive all those events that have been recorded before the agent has been installed
Or is
b) you do not want to receive events when while the agent is stopped.
To clarify b), let's say you have started the agent at 8am and stopped it at 10am. You restart it at 1pm. Does that mean you do not want to receive those events that occured during 10am and 1pm?
Please note that most customers actually want to receive events prior to installation - this is why the program is build as it currently is. To solve your need, I think we must first fully understand it and then we can provide a solution.
Looking forward to your reply.
Best regards,
Rainer Gerhards
Adiscon
before I can provide more feedback, I have a vital question: is this just a one time situation, that is
a) you simply do not want to receive all those events that have been recorded before the agent has been installed
Or is
b) you do not want to receive events when while the agent is stopped.
To clarify b), let's say you have started the agent at 8am and stopped it at 10am. You restart it at 1pm. Does that mean you do not want to receive those events that occured during 10am and 1pm?
Please note that most customers actually want to receive events prior to installation - this is why the program is build as it currently is. To solve your need, I think we must first fully understand it and then we can provide a solution.
Looking forward to your reply.
Best regards,
Rainer Gerhards
Adiscon
-
rgerhards - Site Admin
- Posts: 1696
- Joined: Thu Feb 13, 2003 11:57 am
by Bertolino on Mon Jun 21, 2004 5:21 pm
HI
So it is a) because :
We log event "528" in the security event log (Logon/Logoff - 4 times "528"within 15 seconds), then we write a event log entry (would be nice we could also write a description, not only a ID) and we start a batchfile. In this batchfile we disable logins, so no event "528" can occur anymore. After a waittime of 90 seconds we enable logins again and so on. This is working without problems.
But with a log file with thousand of the entry "528"...........
When we delete these entries, no problem.
We also have tried with the recordnumber, but the quantity of items in the Security Event Log is not equal last record ???
Kind regards
Bertrand Roth
So it is a) because :
We log event "528" in the security event log (Logon/Logoff - 4 times "528"within 15 seconds), then we write a event log entry (would be nice we could also write a description, not only a ID) and we start a batchfile. In this batchfile we disable logins, so no event "528" can occur anymore. After a waittime of 90 seconds we enable logins again and so on. This is working without problems.
But with a log file with thousand of the entry "528"...........
When we delete these entries, no problem.
We also have tried with the recordnumber, but the quantity of items in the Security Event Log is not equal last record ???
Kind regards
Bertrand Roth
- Bertolino
- Advanced
- Posts: 36
- Joined: Mon Jun 21, 2004 8:59 am
- Location: Switzerland
by rgerhards on Mon Jun 21, 2004 5:54 pm
Dear Bertrand,
many thanks for coming back to us.
Yes, this is right, that was unfortunately a false recommendation. It is the record number, but this is not equal to the number of events.
We will see that we can make a modification to the product. Eventually we would create a small command line tool that must be executed BEFORE MWAgent is run for the first time. Would this be a solution for your case, too?
Please let us know,
Rainer Gerhards
Adiscon
many thanks for coming back to us.
Bertolino wrote:We also have tried with the recordnumber, but the quantity of items in the Security Event Log is not equal last record ???
Yes, this is right, that was unfortunately a false recommendation. It is the record number, but this is not equal to the number of events.
We will see that we can make a modification to the product. Eventually we would create a small command line tool that must be executed BEFORE MWAgent is run for the first time. Would this be a solution for your case, too?
Please let us know,
Rainer Gerhards
Adiscon
-
rgerhards - Site Admin
- Posts: 1696
- Joined: Thu Feb 13, 2003 11:57 am
by Bertolino on Tue Jun 22, 2004 7:21 am
Hi
Yes it would, because it's really a "first time problem".
With disabling Logons we do not have further entries "528". These entries restarts only after having enabled Logon.
Kind regards
Yes it would, because it's really a "first time problem".
With disabling Logons we do not have further entries "528". These entries restarts only after having enabled Logon.
Kind regards
- Bertolino
- Advanced
- Posts: 36
- Joined: Mon Jun 21, 2004 8:59 am
- Location: Switzerland
by rgerhards on Tue Jun 22, 2004 8:07 am
Dear Bertolino,
many thanks for your reply. We have now fully understood your needs. Please bear a little while with us - we will see how we can integrate this in the best possible way. I will keep you posted.
Best regards,
Rainer Gerhards
Adiscon
many thanks for your reply. We have now fully understood your needs. Please bear a little while with us - we will see how we can integrate this in the best possible way. I will keep you posted.
Best regards,
Rainer Gerhards
Adiscon
-
rgerhards - Site Admin
- Posts: 1696
- Joined: Thu Feb 13, 2003 11:57 am
by rgerhards on Tue Jun 22, 2004 10:56 am
Dear Bertolino,
I have good news. We have designed the requested functioanlity and it is also very easy to implement. Implementation is underway and I hope we will see a beta version of this functionality (as 2.1 SP1) later today. We will post a download link as soon as it is ready.
Best regards,
Rainer Gerhards
Adiscon
I have good news. We have designed the requested functioanlity and it is also very easy to implement. Implementation is underway and I hope we will see a beta version of this functionality (as 2.1 SP1) later today. We will post a download link as soon as it is ready.
Best regards,
Rainer Gerhards
Adiscon
-
rgerhards - Site Admin
- Posts: 1696
- Joined: Thu Feb 13, 2003 11:57 am
by rgerhards on Tue Jun 22, 2004 1:16 pm
Dear Bertolino,
it's done. It is available now at:
www.adiscon.org/download/MWareMax21sp1.exe
Please note that this has been run all standard tests on, but not yet the full integration suite. As it was a very small change, we do not anticipate any issue, but I thought I let you know. Also, the final 2.1SP1 version will continue one further (unrelated) change, which is currently being developed. I expect the official 2.1SP1 final to be available either at the end of this week or next week.
The manual is currently being updated. To use the new functionality, you need to go the to event log monitor settings and in there click on the "advanced" button for each log type. You'll notice a new check box "do NOT process existing events". If you check it, the service will NOT process any existing events. Please note that the checkbox is automatically reset to unchecked once the agent has run initially (because otherwise no events would ever be forwarded).
Please let us know if you have any further questions or experience a problem.
Looking forward to your feedback,
Rainer Gerhards
Adiscon
it's done. It is available now at:
www.adiscon.org/download/MWareMax21sp1.exe
Please note that this has been run all standard tests on, but not yet the full integration suite. As it was a very small change, we do not anticipate any issue, but I thought I let you know. Also, the final 2.1SP1 version will continue one further (unrelated) change, which is currently being developed. I expect the official 2.1SP1 final to be available either at the end of this week or next week.
The manual is currently being updated. To use the new functionality, you need to go the to event log monitor settings and in there click on the "advanced" button for each log type. You'll notice a new check box "do NOT process existing events". If you check it, the service will NOT process any existing events. Please note that the checkbox is automatically reset to unchecked once the agent has run initially (because otherwise no events would ever be forwarded).
Please let us know if you have any further questions or experience a problem.
Looking forward to your feedback,
Rainer Gerhards
Adiscon
Last edited by rgerhards on Tue Jun 22, 2004 5:04 pm, edited 1 time in total.
-
rgerhards - Site Admin
- Posts: 1696
- Joined: Thu Feb 13, 2003 11:57 am
by Bertolino on Thu Jun 24, 2004 3:42 pm
Hi
We have tested on a single machine and it works fine. Tomorrow we will upgrade our two Testservers.
Question:
When we install the MWA on a new server and we import the registryentries via xyz.reg file , then this new parameter would not be set.
Now we would like to add this Registryentry (What is this entry ?) for this parameter. Will this parameter also be resetted, when we do it via this imported regfile after the agent has run initially ??
Kind regards
We have tested on a single machine and it works fine. Tomorrow we will upgrade our two Testservers.
Question:
When we install the MWA on a new server and we import the registryentries via xyz.reg file , then this new parameter would not be set.
Now we would like to add this Registryentry (What is this entry ?) for this parameter. Will this parameter also be resetted, when we do it via this imported regfile after the agent has run initially ??
Kind regards
- Bertolino
- Advanced
- Posts: 36
- Joined: Mon Jun 21, 2004 8:59 am
- Location: Switzerland
by rgerhards on Fri Jun 25, 2004 3:03 pm
Sorry for the late reply ... I somehow missed the qeuestion.
The registry variable is named "nNoExistingEntries". Where exactly it is located in the registry depends on service location. I recommend that you do a search on the .reg file. This entry must be set to 1 to ignore existing entries. 0 means existing entries ARE processed.
Whenever the agent starts and finds this value set to 1, it ignores all existing entries AND re-sets the value to 0. It does not matter if the value was set via a reg file or the configuration client.
If you change the value via the configuration client AND then export the registry without starting the agent, it will be set to "1" in the reg file. This is probably a good way to do it.
I hope this answers your question. If I was not clear enough, please let me know.
Best regards,
Rainer Gerhards
Adiscon
The registry variable is named "nNoExistingEntries". Where exactly it is located in the registry depends on service location. I recommend that you do a search on the .reg file. This entry must be set to 1 to ignore existing entries. 0 means existing entries ARE processed.
Whenever the agent starts and finds this value set to 1, it ignores all existing entries AND re-sets the value to 0. It does not matter if the value was set via a reg file or the configuration client.
If you change the value via the configuration client AND then export the registry without starting the agent, it will be set to "1" in the reg file. This is probably a good way to do it.
I hope this answers your question. If I was not clear enough, please let me know.
Best regards,
Rainer Gerhards
Adiscon
-
rgerhards - Site Admin
- Posts: 1696
- Joined: Thu Feb 13, 2003 11:57 am
Google Ads
15 posts • Page 1 of 1
Who is online
Users browsing this forum: No registered users and 0 guests
