RJ,
The logs are there and I did some work on my side.
So I could simulate an event 0 for Gupdate.
My Event log Message with Gupdate,
EventID:0
EventType: Informational
EventDescr:
The description for Event ID 0 from source gupdate cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Service stopped
I create watcher below as exists in client sysedge.cf
watch ntevent 65 0x100 application all '.*' '\[0\].*Service stopped.*' 'RJ Test' '' major
And it works without issue,
I recreate the event with starting Gupdate which I know will produce the above error and,
Sysedge.log shows,
0044047 2016-01-11 10:06:27.82 [I]-1b98- se/nt_eventmon.c[1504] | : send_eventmon_trap(): NT Eventlog Monitor Match Trap (7) - Index:65, Descr:'RJ Test', EventLog:'Application', TypeMatched:Information, SrcMatched:'gupdate', DescMatched:'[0] Service stopped' |
So a couple of things,
Your mentioned watcher I would try 3 different iterations,
watch ntevent 12 0x100 application Error '.*' '\[0\].*Msg:Session.* 'Web App Error 12' '' major (Make sure Error has a capital E a lot of the regex is case sensitive. )
watch ntevent 13 0x100 application all '.*' '\[0\].*Msg:Session.* 'Web App Error 13' '' major (Instead of Just Error try all. )
watch ntevent 14 0x100 application all '.*' '\[0\].*Session expired.* 'Web App Error 14' '' major (Sometimes special characters can cause regex matching issues so they may need to be escaped. So the : might be causing an issue.)
Lets see if any of these match I am thinking index 14 will do the trick.
Your uploaded Event log shows,
EventID:0
EventType: Error
EventDescr: Msg:Session expired. You have to login <Intentionally omitted>
Let me know if this helps.
Charlie.