Troubleshooting Event Log alerts and collection.
Identify whether its is problem with the Event Set being used or a problem with Event ID monitoring in VSA?
1. Enable Event Log collection in the VSA for the affected endpoint.
- Agent > Machine Status > Event Log Settings. Add the The required Event Log types and Critical event categories e.g. Error/Warning/Critical.
- This only allows you to see Event IDs in the Agent Logs > Event Logs. Event log alerts are still generated even if event logs are not collected by the VSA
2. Create a sample Event Log Alert in this example it is event ID 35
- Apply this to the affected machine and define it to match Errors/Warning/Critical errors.
- Set the alert action to generate a Alarm.
- Set it to Alert when this event occurs once and ignore addutional alarms for 1 minute.
- Verify that the Alertset.xml file in the Agent working\KlogConfig folder has been updated with the details of the Event Log Alert
3. Manually create a event ID 35 on the endpoint and verify that it is being picked up by event viewer.
To do this:
From a CMD prompt run this command.
- eventcreate /ID 35 /L SYSTEM /T ERROR /SO VXIO /D "This is a test Event ID generated by Kaseya Support please ignore"
- This will generate a Event ID 35 System Error and the Source filter is VXIO.
- On the Endpoint in Event Viewer verify that the Event ID is generated?
- In the Agent Logs > Event Logs - System, verify that the Event ID is collected?
- On the Alarm Summary page, verify the alarm is generated?
- If an alarm is generated then you know the problem is a configuration issue with the Event Set monitoring already applied.
- Filters used when configuring Event Log Alerts are not accurate or too restrictive.
- The ignore additional alarms setting is configured for too long a time period.
- Event ID's have been set to be "Ignored" in the Event Set configuration.