Table of Contents
- System Requirements
- Assign Service Logon As Credentials
- Server Configuration
- Agent-Based Monitoring
- Data Providers
- Directory Services
- Audit Work Items
- Template Properties
- Batch Update Templates
- Log Management Templates
- File and Directory Monitor Templates
- Windows Monitor Templates
- Account Lockout Monitor Template
- Logon Monitor Template
- CPU Monitor Template
- Memory Monitor Template
- Disk Space Monitor Template
- SMART Monitor Template
- Process Monitor Template
- Service Monitor Template
- Performance Counter Monitor Template
- PowerShell Script Template
- Registry Value Monitor Template
- Active Directory User Monitor Template
- Active Directory User Integrity Monitor Template
- Task Scheduler Template
- Clock Synchronization Template
- Defragment NTFS Disks Template
- Network and Application Monitor Templates
- Database Monitor Template
- Directory Service Monitor Template
- DNS Blacklist Monitor Template
- DNS Monitor Template
- Domain Expiration Monitor Template
- Network Speed Monitor Template
- Ping Monitor Template
- Database Table Reseed
- SQL Server Shrink and Backup Template
- SSH Shell
- TCP Port Scan Monitor Template
- Website Monitor Template
- SSL Certificate Monitor Templates
- Email Monitor Templates
- SNMP Monitor Templates
- Report Properties
- Security Reports
- Generic Log Reports
- File and Permission Reports
- Summary Reports
- Environment Variables
- Account Lockout Monitoring and Reporting
- SSH Shell
- Exporting and Importing Configuration Objects
- Shared Views
- Auto-Config Host Assignment Properties
- General Executable Properties
- Assign Actions
- Assign Directories
- Assign Disks
- Assign Shares
- Assign Files
- Assign Consolidated Logs
- Assign Event Logs
- Assign Azure Audit Logs
- Target Files and Sub-Directories
- Define Log Entry Columns
- Define Log Entry Columns with Regular Expressions
- Define CSV and W3C Log Entry Columns
- Active Directory User and Group Filters
- Explicitly Assigned Logs
- File Explorer
- Report Columns
- Report Date/Time Ranges
- Report Security Event Log Filters
- Select Folder or File
- Executable Timeline
- Command Line Interface
Event Log Summary Report
An Event Log Summary Report is defined as a report that displays a count of the top entries with a short description next each entry. This report is typically used by network administrators and compliance and audit professionals to view a summary of the top logged events on Windows Servers.
Event Log Summary Reports are an implementation of the standard Event Log Consolidation Report with options set to generate the summary of unique events. The combination of each Source and Event ID defines an Event as unique. In other words, within each Event Log, each Source must be unique, then, within each Source, each Event ID must be unique. The result is a composite key comprised of the Source and Event ID.
In this Topic
- How to create an Event Log Report
- The Logs Tab
- The Columns Tab
- The Options Tab
- Host Assignment
- Viewing a Sample Report
How to create an Event Log Report
The Sample Reports include an implementation of an Event Log Summary Report. To view the sample report:
- From the Explorer View find the root Reports node then expand Sample Reports then Summary Reports. Once expanded, you will find the Event Log Summary report.
- Right click on the Event Log Summary report then select Properties. The Report Properties View displays.
- The Properties View contains 8 configuration tabs.
The Logs Tab
- Selecting the Logs Tab reveals the Application, Security and System log files are selected. For more information on the Logs Tab see Assign Event Logs.
The Columns Tab
- Selecting the Columns Tab reveals the column definitions, sort rules and group by rules.
- Notice, the first column in the list of columns is Count. This column displays the count of distinct entries.
- To extract and display a summary of each Event, a custom column keyed DESCRIPTION has been added that is a string type, has a maximum length of 64 characters and is populated using a regular repression result. The expression simply returns the first line of the log entry, then, the maximum length is used to truncate the results to the first 64 characters. If you would like to display more characters, increase this value.
Next, the Sort by Controls define the sort order of the results.
Since this is a summary report of unique Events defined as the combination of each Source and Event ID,
the following three columns are defined:
Columns Description Count Displays the count of unique entries and is sorted descending so the most common Event log entry is displayed on the top and the least common entry displayed at the bottom of the report. Event Displays the Event ID and is sorted ascending so the distinct counts that have the same number (e.g. 1 entry), are displayed in order of Event ID). Source Displays the Event Source which is sorted ascending so entries with the same count and Event ID are then sorted by the Event Source.
- Next, the Group by Controls define how we would like to group each result set of data. This report is designed to be run against multiple servers so it groups results by host, enabling you to view the top entries for each host in one report.
- Lastly, at the very bottom we can see the Regular expression Controls. In certain scenarios, a regular expression may be detached from a column. This view displays all configured regular expressions. In this report's case, there is just the one DESCRIPTION regular expression defined.
The Options Tab
- Selecting the Options Tab reveals the filters, select distinct count and query by rules.
- Two filters have been automatically assigned:
Filter Description Audit Entries Targets Success Audit and Failure Audit entries found mostly in Security Logs however these Event types can be seen in any log. Event Log Warning + Targets Warning and Error Event types.
Next, the filter option is set to pass all entries that pass Any of the filters.
Other options include, creating a single filter that targets Warning, Error, Success Audit and Failure Audit Events or creating a filter that targets Informational Events then set the filter option to None.
- Next, the Select distinct count Controls define the composite database key. In this case we are defining a unique entry as the combination of the Event ID and Event Source, listed as EVENT and SOURCE.
- Just below we have the option of displaying the latest or the oldest entry in the report. The report defaults to the latest so we see the most recent unique entry in the report.
- Finally, we see the Query by Controls which for this report are left blank since the report is summarizing all Events.
Use the Assignments View to assign individual hosts or host groups to the report. For more information see: Host Assignments.
|This report requires each assigned host be assigned an Event Log Consolidation Template.|
- Once saved, you can view the report directly within the Management Console by clicking the View Report button.
Once displayed, notice the report is actually showing the current day rather than the period configured in the report.
When generic Event Log Consolidation Reports, such as this report, are displayed within the Management Console, they display in pages of days and always begin with today.
This is done on purpose so large reports are viewed in pages, vastly minimizing memory and CPU requirements.
If you want to view the last seven days in one page,
click the Date Toolbar Button, set the date you would like to start looking inclusively backward from,
then, set the Days per page to 7.
Log Viewer Days per page Paging Control
Event Log Consolidation Template