TECHZEN Zenoss User Community ARCHIVE  

Eventmonitoring WinRM (Microsoft Eventviewer Severity)

Subject: Eventmonitoring WinRM (Microsoft Eventviewer Severity)
Author: [Not Specified]
Posted: 2015-03-17 03:42


Ive a question about monitoring Windows server based on WinRM in Zenoss 5.0. Ive struggled a couple of hours already and I hope my post is helping others as well so Ill try to explain all my steps I did as detailed as possible.
The problem:

After a fresh install Zenoss I imported Windows 2012R2 Server, configured the WinRM properties (zWinKDC, zWinRMPassword and ZwinRMUser) and I immediately I saw al data coming after a smooth modeling. Really nice graphs, file system, Windows services and Interfaces all working, great!!.

But then the problem, I noticed that I didnt receive any events from the Windows Eventlog. So as I was used to do in earlier versions I went to Infrastructure > Server > Microsoft and pushed Detail to edit the configuration properties. But surprisingly the properties zWinEventlog and zWinEventlogMinSeverity werent there anymore. After research and some help from chat channel I did the following.

1. Download the latest Microsoft Windows ZenPack 2.3.2 Default installation came with 2.3.1.

2. Install the zenpack (again after lots of research about dockers and containers and such). This is how I did it, dont know its the best way but worked:
a. Copy Zenpack to a folder on the local Zenoss machine. Give proper rights to this folder, I used chmod 777 /temp/ -R just to be sure.
b. Typed this command after that to install: serviced service run zope zenpack install ZenPacks.zenoss.Microsoft.Windows-2.3.2.egg

3. To get Windows Events I used the Zenoss gui: Select Advanced > Monitoring Templates > Device > Server/Microsoft. On the panel on the left you will see a couple of Windows datasources (MemoryAvailableBytes, ProcessorTotalPrivilegedTime, etc.).
a. Click on add data source (the plus icon)
b. Select type: Windows Eventlog
c. Choose Name: System or Application (Same name as the actual eventviewer name)
d. Click Submit.

After this step I was receiving events, but I receive all event information, warning and critical, but my goal is to only receive events with a severity above warning. When I was looking at the documentation (just 25 lines, way too short for a not-zenoss-guru). And it says the following about filtering.

To monitor EventLog events you should add to monitoring template with "Windows EventLog" datasource. For the Event Log field put the name of event log (e.g. "System") that you are interested in, and in the EventQuery you could put the filter for events. Filter is written as PowerShell scriptblock for Where-Object commandlet.
To target all events with a Warning or higher severity:

For Windows 2003:
{ $$_.EntryType -le [System.Diagnostics.EventLogEntryType]::Warning}

For Windows 2008 & Later:
{ $$_.Level -le [System.Diagnostics.Eventing.Reader.StandardEventLevel]::Warning}

Well and there lies my problem: Does anybody know what is an EventQuery is and where to put this
If somebody has a small step by step I would help me (and probably a lot other Windows people my guess).


Subject: Bug, i guess?
Author: [Not Specified]
Posted: 2015-03-22 04:00

After a lot of testing I think I ran in a small bug

As described in my former post I didnt understand where to put the EventQuery (really thought I went crazy). Well it seems that the dubbelclick or view and edit details on eventlog datasouce doesnt work in Zenoss 5.0.

Ive used this manual that perfect:

- Centos 7 / Zenoss 5.0 / Microsoft Windows ZenPack 2.3.2
- Zenoss 5.0 Vmware Appliance / Microsoft Windows ZenPack 2.3.2
- Centos 6 / Zenoss 4.2.5 / Microsoft Windows ZenPack 2.3.2

Both Zenoss 5.0 versions (manual install and downloaded Zenoss Vmware Image) cant open the details from the datasouce eventlog (Step 3 from the manual). Tested this with IE, Chrome and FireFox all have the same problem.

Tested it in Zenoss 4.2.5 and this working just fine.

Can someone confirm this


Subject: looks like a bug folks, file
Author: Andrew Kirch
Posted: 2015-03-25 14:23

looks like a bug folks, file it over at

Andrew Kirch

Need Zenoss support, consulting or custom development Look no further. Email or PM me!

Ready for Distributed Topology (collectors) for Zenoss 5 Coming May 1st from GoVanguard

Subject: Done
Author: [Not Specified]
Posted: 2015-03-26 01:08

< Previous
Zenoss 5.0 / Importing (Vmware) Mibs
Zenoss Trigger / Notification Greyed Out