Table of Contents
- Getting Started
- Agent-Based Management
- Common Tasks
- Data Providers
- Directory Services
- Auditing
- Hosts
- Templates
- Template Properties
- Batch Update Templates
- Assign Templates
- Log Management Templates
- SCAP Compliance Monitor
- Active Directory User Monitor Templates
- File and Directory Monitor Templates
- Windows Monitor Templates
- Account Lockout Monitor Template
- Logon Monitor Template
- CPU Monitor Template
- Memory Monitor Template
- Disk Space Monitor Template
- SMART Monitor Template
- Process Monitor Template
- Service Monitor Template
- Performance Counter Monitor Template
- PowerShell Template
- Registry Value Monitor Template
- System Security Monitor Template
- Task Scheduler Template
- Clock Synchronization Template
- Defragment NTFS Disks Template
- Windows Audit Policy Monitor Template
- Windows Logon As Monitor Template
- Windows Update Template
- WMI Query Template
- Network and Application Monitor Templates
- Database Monitor Template
- Directory Service Monitor Template
- DNS Blacklist Monitor Template
- DNS Monitor Template
- Domain Expiration Monitor Template
- Network Speed Monitor Template
- Ping Monitor Template
- Database Table Reseed
- SQL Server Shrink and Backup Template
- SSH Shell
- TCP Port Scan Monitor Template
- Website Monitor Template
- Wake On LAN Template
- SSL Certificate Monitor Templates
- Email Monitor Templates
- SNMP Monitor Templates
- Windows Accounts Templates
- Monitors
- Reports
- Auto-Configurators
- Filters
- Actions
- Database Actions
- Desktop Actions
- Email Actions
- Event Log Actions
- Executable Actions
- File Actions
- IIS IP Address Restriction Actions
- Microsoft Teams Actions
- PowerShell Actions
- Report Actions
- Service Actions
- SMS Actions
- SNMP Trap Actions
- Syslog Actions
- Template Actions
- IIS IP Address Restriction Actions
- Action Variables
- Schedules
- Environment Variables
- Options
- SNMP
- SSH Shell
- Syslog
- Shared Views
- Active Directory User and Group Filters
- Assign Actions
- Assign Azure Audit Logs
- Assign Consolidated Logs
- Assign Directories
- Assign Disks
- Assign Event Logs
- Assign Files
- Assign Services
- Assign Shares
- Auto-Config Host Assignment Properties
- Define CSV and W3C Log Entry Columns
- Define Log Entry Columns
- Define Log Entry Columns with Regular Expressions
- Executable Status
- Executable Timeline
- Explicitly Assigned Logs
- File Explorer
- General Executable Properties
- Report Columns
- Report Date/Time Ranges
- Report Security Event Log Filters
- Select Folder or File
- Target Files and Sub-Directories
- Command Line Interface
- Server Configuration
- Agent Configuration
- Troubleshooting
- Terminology
Event Log Summary Report
An Event Log Summary Report is defined as a report that displays a count of the top entries with a short description next each entry. This report is typically used by network administrators and compliance and audit professionals to view a summary of the top logged events on Windows Servers.
Event Log Summary Reports are an implementation of the standard Event Log Consolidation Report with options set to generate the summary of unique events. The combination of each Source and Event ID defines an Event as unique. In other words, within each Event Log, each Source must be unique, then, within each Source, each Event ID must be unique. The result is a composite key comprised of the Source and Event ID.
In this Topic
- How to create an Event Log Report
- The Logs Tab
- The Columns Tab
- The Options Tab
- Host Assignment
- Viewing a Sample Report
How to create an Event Log Report
The Sample Reports include an implementation of an Event Log Summary Report. To view the sample report:
- From the Explorer View find the root Reports node then expand Sample Reports then Summary Reports. Once expanded, you will find the Event Log Summary report.
- Right click on the Event Log Summary report then select Properties. The Report Properties View displays.
- The Properties View contains 8 configuration tabs.
The Logs Tab
- Selecting the Logs Tab reveals the Application, Security and System log files are selected. For more information on the Logs Tab see Assign Event Logs.
The Columns Tab
- Selecting the Columns Tab reveals the column definitions, sort rules and group by rules.
- Notice, the first column in the list of columns is Count. This column displays the count of distinct entries.
- To extract and display a summary of each Event, a custom column keyed DESCRIPTION has been added that is a string type, has a maximum length of 64 characters and is populated using a regular repression result. The expression simply returns the first line of the log entry, then, the maximum length is used to truncate the results to the first 64 characters. If you would like to display more characters, increase this value.
- Next, the Sort by Controls define the sort order of the results. Since this is a summary report of unique Events defined as the combination of each Source and Event ID, the following three columns are defined:
Columns | Description |
---|---|
Count | Displays the count of unique entries and is sorted descending so the most common Event log entry is displayed on the top and the least common entry displayed at the bottom of the report. |
Event | Displays the Event ID and is sorted ascending so the distinct counts that have the same number (e.g. 1 entry), are displayed in order of Event ID). |
Source | Displays the Event Source which is sorted ascending so entries with the same count and Event ID are then sorted by the Event Source. |
- Next, the Group by Controls define how we would like to group each result set of data. This report is designed to be run against multiple servers so it groups results by host, enabling you to view the top entries for each host in one report.
- Lastly, at the very bottom we can see the Regular expression Controls. In certain scenarios, a regular expression may be detached from a column. This view displays all configured regular expressions. In this report's case, there is just the one DESCRIPTION regular expression defined.
The Options Tab
- Selecting the Options Tab reveals the filters, select distinct count and query by rules.
- Two filters have been automatically assigned:
Filter | Description |
---|---|
Audit Entries | Targets Success Audit and Failure Audit entries found mostly in Security Logs however these Event types can be seen in any log. |
Event Log Warning + | Targets Warning and Error Event types. |
- Next, the filter option is set to pass all entries that pass Any of the filters.
- Next, the Select distinct count Controls define the composite database key. In this case we are defining a unique entry as the combination of the Event ID and Event Source, listed as EVENT and SOURCE.
- Just below we have the option of displaying the latest or the oldest entry in the report. The report defaults to the latest so we see the most recent unique entry in the report.
- Finally, we see the Query by Controls which for this report are left blank since the report is summarizing all Events.
Host Assignment
Use the Assignments View to assign individual hosts or host groups to the report. For more information see: Host Assignments.
Sample Report
- Once saved, you can view the report directly within the Management Console by clicking the View Report button.
- Once displayed, notice the report is actually showing the current day rather than the period configured in the report. When generic Event Log Consolidation Reports, such as this report, are displayed within the Management Console, they display in pages of days and always begin with today. This is done on purpose so large reports are viewed in pages, vastly minimizing memory and CPU requirements. If you want to view the last seven days in one page, click the Date Toolbar Button, set the date you would like to start looking inclusively backward from, then, set the Days per page to 7.