DX Application Performance Management

Has anybody has any success monitoring a Windows event monitor (application log) for the Event ID 0?

We have been trying to create a monitor from the VAIM GUI that looks as follows:  \[0\].*Msg:Session.*   - We want to generate an alert when this event shows up in the application log.   This event is forwarded from Spectrum to SOI and then we notify the customer.

Here is the entry - watch ntevent 12 0x100 application error .* \[1\].*Msg:Session.* 'Web App Error' '' major "     -  For some reason this monitor does not work; (even though we see events occurring on the server) 

However, when we change the monitor to \[0\].*  (watch ntevent 12 0x100 application error .* \[0\].* 'Web App Error' '' major) -  we get an alert generated; but can't get the event info in the alert.

We can monitor other event ID and get all the event info in the alert; just can't get the info for the Event ID 0 event.

We currently have a ticket open; but I am reaching out to see if anyone else has encountered this issue and solved the riddle.

Thanks,

RJ

RJ,

I attached myself to the case, I see a co-worker of mine is working that with your right now and you are investigating the event source, sounds like the event driver may need a re-load.

The following Microsoft doc directly applies to the error you mentioned in the case,

https://support.microsoft.com/en-us/kb/166902

I suspect it comes down to what the eventlog is providing back to the agent.

I would be interested in what is seen by another commandline application,

Like the powershell get-winevent function.

I Suspect if

.* \[1\].*Msg:Session.* 'Web App Error' '' major "     -  For some reason this monitor does not work

That there is a problem matching the Regular expression. We would need to get a sample of the actual Event details of the event in question.

And that if,

\[0\].*  (watch ntevent 12 0x100 application error .* \[0\].* 'Web App Error' '' major) -  we get an alert generated; but can't get the event info

Works that the regular expression here is obviously matching,

But the Event info is either not supplied properly back to the agent, or not matching the event you suspect.

Typically I would suggest on the support case to attach an export of the event log in question.

And the sysedge.cf file.

Or at least for the purpose of posting,

I would start with the Exact message you have in the logfile that you are trying to match on all parameters, and the sysedge.cf entry which you already supplied.

But if you are troubleshooting this yourself I suggest instead of using the Windows Event console to use a command line function since that typically more accurately simulates a system call from an application. Thus the

powershell get-winevent

Thanks, Charlie.

Hey Charlie,

Thanks for your input.  We have scratching our heads on this one.  I will take a look at the Windows Tech Doc provided and talk with the customer.  The event Log and the sysedge.cf file was uploaded to this case.

I will take another look and if not there; I will attach.

Thanks,

RJ

RJ,

The logs are there and I did some work on my side.

So I could simulate an event 0 for Gupdate.

My Event log Message with Gupdate,

EventID:0

EventType: Informational

EventDescr:

The description for Event ID 0 from source gupdate cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

Service stopped

I create watcher below as exists in client sysedge.cf

watch ntevent 65 0x100 application all '.*' '\[0\].*Service stopped.*' 'RJ Test' '' major

And it works without issue,

I recreate the event with starting Gupdate which I know will produce the above error and,

Sysedge.log shows,

So a couple of things,

Your mentioned watcher I would try 3 different iterations,

watch ntevent 12 0x100 application Error '.*'  '\[0\].*Msg:Session.* 'Web App Error 12' '' major (Make sure Error has a capital E a lot of the regex is case sensitive. )

watch ntevent 13 0x100 application all '.*'  '\[0\].*Msg:Session.* 'Web App Error 13' '' major (Instead of Just Error try all. )

watch ntevent 14 0x100 application all '.*'  '\[0\].*Session expired.* 'Web App Error 14' '' major (Sometimes special characters can cause regex matching issues so they may need to be escaped. So the : might be causing an issue.)

Lets see if any of these match I am thinking index 14 will do the trick.
Your uploaded Event log shows,

EventID:0

EventType: Error

EventDescr: Msg:Session expired. You have to login <Intentionally omitted>

Let me know if this helps.

Charlie.

I like it, I like it!

Will try your suggestions and see what we get.

RJ

Ok RJ just let us know how it goes if 1 of the specific watchers works let us know so we have the exact iteration. If nothing works keep us informed I would be happy to help. But testing here Eventid 0 works fine especially catching the text after line The following information was included with the event:

Charlie.

Ok.  Will keep you informed.

RJ

Charlie,

There were not any events over night.  The events usually occur during the day as a result of customers accessing the application.  Will continue to look closely today and see if we get any alerts.

Thanks for your time,

RJ

Charlie,

None of the monitors in place have generated an alert. There have been 3 recent events; and nothing happened.

I setup one with just \ [0\]   As a description filter.  This worked; but does not include any of the event information in the alert.

Here is the event information from the server:

The description for Event ID 0 from source Application cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

Msg:Session expired. You have to login; StackTrace:   at NCFeeThin.HttpHandlers.Order.ProcessRequest(HttpContext context) in C:\EBRS2015\NCFee\NCFee\NCFeeThin\HttpHandlers\Order.ashx.cs:line 61; InnerException:

the message resource is present but the message is not found in the string/message table

RJ

Rj,

I am leaning towards asking you to try 5.9 since my test was with the 5.9 agent, and I see you have 5.8.1 Build 14104.

But before asking if you can upgrade this 1 system to 5.9. Since the message should be caught.

Can I get a copy of the sysedge.cf uploaded to the case?

Thanks, Charlie.

RJ,

I'm going to agree with Charles_Lilienkamp on 5.9... While I'm still in the early stages of reviewing a different customer issue, the 5.8.x agent seems to be having problems with event log monitoring, where all internal testing that I performed with 5.9 was successful.

Regards,

Sean

RJ

Did you get this working with the 5.9 agent?

Brian

Sorry BrianFlad I meant to update this thread. The short version is that in general mutli-line regex to work work with SysEDGE and PCRE being enabled. But RJs specific message was not being written properly to the event logs, therefore sysedge cannot read it.

I am working on a document to post with additional details.