MonitorWare Knowledge Base

Greetings,

My Monilog reports do not return any data even though the logs being analysed have relevant events. The foot of the report states:
"The logs for the selected time interval exist and contain events but none of them match the selected criteria"

This indicates that Monilog can access the log file and that it's contents are meaningful. I have checked the hints which follow this message but my configuration appears OK with the possible exception of the hint "the EventReporter settings are not configured properly for MoniLog so expected fields are missing".
My configuration details are as follows:

EventReporter V5.4.163
---------------------------
EventReporter runs on each of out windows 2000 hosts and send logs to our syslog server (Solaris). This configuration works fine and aggregated Windows logs appear at a single location on the UNIX box. The

EventReporter clients are configured to "Use Monilog" and the "Use legacy format" and "Add FacilityString" check boxes are checked in the General tab of each client.

Monilog v2.0.137
------------------
Monilog runs on a Windows host with access to the syslog log files which hold the aggregated windows events.
I have set up a monilog profile with "Servers to analyse' = "*' and the report options set to report on all event types for the last 24 hours. There are **definitely** log entries in the log file being analysed which satisfy this criteria. an example entry follows (hostname = "evalce"):

<snip>
Apr 28 09:34:54 evalce EvntSLog:787553: [WRN] Sun Apr 28 03:34:22 2003: N\A/System/EVALCE/NETLOGON (5773) - "The DNS server for this DC does not support dynamic DNS. Add the DNS records from the file 'SystemRoot\System32\Config\netlogon.dns' to the DNS server serving the domain referenced in that file."
<snip>

Help !!
--------
Can anyone verify that the log entry above is in the correct format.
Can anyone supply me with the working configuration for the General tab in Monilog for my setup (Windows EventReporter/Solaris syslog).
Can anyone suggest more specific reasons why my config is failing to populate the Monilog report.

Thanks in advance

Tony

Hi,

Monilog depends on the correct logging format, even a single different will make it not working correctly.

Currently a logfile entry looks like this at your end.

Code: Select all

Apr 28 09:34:54 evalce EvntSLog:787553: [WRN] Sun Apr 28 03:34:22 2003: N\A/System/EVALCE/NETLOGON (5773) - "The DNS server for this DC does not support dynamic DNS. Add the DNS records from the file 'SystemRoot\System32\Config\netlogon.dns' to the DNS server serving the domain referenced in that file.


The first thing I see is, that the "Add Username" option in Eventreporter should be unchecked, but anything else from the Eventreporter format is correct.

But the whole logfile format is not correct. If you are using "WinSyslog" as Syslog Server Type, it should like the following line:

Code: Select all

2002-04-08,09:34:54,EVALCE,16,5,EvntSLog:787553: [WRN] Sun Apr 28 03:34:22 2003: System/EVALCE/NETLOGON (5773) - "The DNS server for this DC does not support dynamic DNS. Add the DNS records from the file 'SystemRoot\System32\Config\netlogon.dns' to the DNS server serving the domain referenced in that file.


You can try the "BSD Syslog Server" option in Syslog Server type as well.

Tony,

Can you email a small log sample as an attachment to support@adiscon.com? The reason for this is that when you copy/paste the log entries, some of the delimiters may be replaced by blank spaces so it is hard for us to identify the exact log format. Please keep the same file name - this way we can emulate the your settings and identify the problem.

carteran wrote:Greetings,

My Monilog reports do not return any data even though the logs being analysed have relevant events. The foot of the report states:
"The logs for the selected time interval exist and contain events but none of them match the selected criteria"
[...]
Can anyone suggest more specific reasons why my config is failing to populate the Monilog report.

Thanks in advance

Tony