Documentation

Read & filter the Windows event log

Number of events / reset events, event status, return code

Logfile

Choose location from where events will be read: All, Application, System, Security or User defined.

When selecting User defined, an additional text field appears where one can enter a custom log location. For this to work, a Windows Registry entry needs to be made, otherwise the events, which appear in one of the event logs not mentioned above, cannot be queried, neither manually using WMI, nor via the Agent Eventlog job. The following shows the required Registry key entry for the Microsoft-Windows-TaskScheduler%4Operational.evtx event log.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Microsoft-Windows-TaskScheduler/Operational]

The key must be entered including the slash character. The User defined event log can now be defined as:

Microsoft-Windows-TaskScheduler/Operational

Note that the string %4 must be replaced with a slash character ("/").

Event type

Select which event types to consider when searching for events.

Event source

If no value is set, every event source matches. The operators Equal, Not equal, Like, Not like can be used.

Multiple sources can be given, separated by a comma, e.g.:

MSExchange Assistants,MSExchange Transport

User

If no value is set, every user matches. The operators Equal, Not equal, Like, Not like can be used.

Multiple users can be given, separated by a comma, e.g.:

SKOOR\user,NT Authority\system

Category

If no value is set, every category matches. The operators Equal, Not equal, Like, Not like can be used.

Multiple categories can be given, separated by a comma. Numeric values must be enclosed in brackets, e.g.:

Installation,(16),Server

Event ID

If no value is set, every Event ID matches. The operators Equal, Not equal can be used.

Multiple IDs can be given, separated by a comma, e.g.:

998,999,1000

Description

If this field is left empty, every description matches. Multiple description strings can be specified, separated by a comma. Wildcards can also be used, e.g.:

Printer*,Drucker*

Any text can be specified within the description. Matching is case-insensitive.

Status duration

To keep an event that matches the criteria visible, the Event status has been introduced. The Event status is set by an event (if event counter > 0). This parameter defines how long the status should be kept active:

• If not set, the event will be reset by the next job execution

• If a reset event is configured, the Status duration is used as the maximum time an event can be active if no reset event appears

Reset event

This is another possibility to clear the Event status. If both an event and a reset event occur within two job executions, the last event wins. If a reset event has the same timestamp as an event, the reset event wins.

No. of events

The number of events since the last measurement. If the job runs for the first time, it counts the events that occurred for the last 5 minutes.

No. of reset-events

The number of reset-events since the last measurement. This value is only available if the Reset section has been enabled.

Event status

The Event status is set if the number of events is > 0 and is cleared

• if the Status duration parameter is set and the configured time is reached

• if a reset-event is configured, the number of reset-events is > 0 and the Status duration is not yet reached

• with the next job execution in case no Status duration is configured

Info message

The Info message lists the description of the most current event found matching the filter criteria.

No. of events

The number of events since the last measurement. If the job runs for the first time, it counts the events that occurred for the last 5 minutes.

No. of reset-events

The number of reset-events since the last measurement. This alarm limit is only available if the Reset section has been enabled.

Event status

Check if an event status has been set. 

Error code

Generic job error code (see section Job error codes)