Issues With Microsoft Windows Zenpack 2.9 on Zenoss 4.2.5
Subject:
Issues With Microsoft Windows Zenpack 2.9 on Zenoss 4.2.5
Author:
Dan A
Posted:
2018-05-16 00:54
We ran Zenoss 2.x for years and recently switched to Zenoss 4.2.5 to address issues with monitoring Windows 2012 servers (Side Note: I know this is an old version but the resources required for 5 or 6 are ridiculous). Anyway, I am, I believe, fully patched and running the latest (2.9) version of the Microsoft Windows Zenpack. All is working well in terms of basic monitoring of our Windows devices, however I am having trouble with the eventlogs.
Problem 1 Although I am able to get "error" level eventlog entries to pull in using the Windows Eventlog Datasource, once in the system I am unable to get any eventclass mappings to function. Unfortunately this is preventing me from tuning "noise" events (moving them to history, etc..). Events show up in the correct eventclass (/Win/EventLog) however creating eventclass mappings (both in /Win/Eventlog and /Win/EventLog/subclass) has no effect on the processing of events. At this point I have given up on this and decided to tune events in the collection query.
Problem 2 Due to the complexity of the required powershell queries and the fact that the where-object clause filters after all the events have been pulled affecting performance, I have decided to move forward with the XML based event filters. I am able to get the basic XML query working properly, however my goal is to filter certain events in the XML query.
Basic Query <?xml version="1.0" encoding="UTF-8"?> <QueryList> <Query Path="Application" Id="0"> <Select Path="Application">*[System[(Level=1 or Level=2) and TimeCreated[timediff(@SystemTime) <= {time}]]]</Select> </Query> </QueryList>
Note: Time filter and XML declaration automatically added by Zenoss.
To make managing event filters easier to manage, I would like to use the Suppress tag. The below query works just fine in the event viewer on Windows Server 2008 R2 as well as when using the Get-WinEvent powershell cmdlet: <?xml version="1.0" encoding="UTF-8"?> <QueryList> <Query Id="0" Path="System"> <Select Path="System">*[System[TimeCreated[timediff(@SystemTime) <= {time}] and (Level=1 or Level=2)]]</Select> <Suppress Path="System">*[System[Provider[@Name='Microsoft-Windows-DistributedCOM'] and (EventID=10009)]]</Suppress> <Suppress Path="System">*[System[Provider[@Name='Microsoft-Windows-TerminalServices-Printers'] and (EventID=1103 or EventID=1107 or EventID=1111 or EventId=1123 or EventId=1124)]]</Suppress> <Suppress Path="System">*[System[Provider[@Name='TermDD'] and (EventID=50 or EventID=56)]]</Suppress> <Suppress Path="System">*[System[Provider[@Name='Schannel'] and (EventID=36888 or EventID=36874)]]</Suppress> </Query> </QueryList>
Note: Time filter and XML declaration automatically added by Zenoss.
Although this works when plugged in to the Get-WinEvent powershell command using the -XMLFilter option (without Zenoss added time component), when specifying this XML query for the event collector the collection for each host fails with: WindowsEventLog: failed collection. The filename, directory name, or volume label syntax is incorrect.
Currently I have settled on this query, however it is not quite as accurate or manageable as using the Suppress tag.
<?xml version="1.0" encoding="UTF-8"?> <QueryList> <Query Path="System" Id="0"> <Select Path="System">*[System[TimeCreated[timediff(@SystemTime) <= {time}] and (Level=1 or Level=2) and (EventID!=1103 and EventID!=1107 and EventID!=1111 and EventID!= 10009 and EventID!=1500 and EventID!=56 and EventID!=50 and EventID!=1124 and EventID!=1123 and EventID!=36888 and EventID!=36874)]]</Select> </Query> </QueryList>
I am really hoping that there is a solution to problem 1 or 2 above; any assistance is appreciated.
------------------------------ Dan ------------------------------
