Acrasoft - LogWatcher FAQ

LogWatcher FAQ

Frequently Asked Questions

Q: How do I get started?

A: The fastest way is to use the Quick Start wizard to step you through the process of selecting a log, identifying what you want to look for, and setting up the action to tell you that the event has occurred. The Quick Start wizard includes a sample text log, and you should probably go through this once to see how everything fits together. Once you are familiar with setting up a watch group, selecting a key, and configuring a task, there is very little else to learn.

Q: Can LogWatcher run under Win95 or Win98?

A: Yes, but only the text search features are available. Win95 does not support NT Event Logs.

Q: Can LogWatcher run under Windows 2000?

A: Yes. Version 1.1 has been tested successfully under Windows 2000.

Q: What is LogWatcher's System Log for?

A: LogWatcher records when it starts up and shuts down, and some licensing information. If it encounters any errors translating messages or scanning files, it will record errors here. It also records security problems.

Q: How do I get the event log message text into an e-mail or page?

A: You can use the new system variables with the Send E-Mail action. There are variables for event log message text, plus the other event log fields. Variables can be used in Send E-mail, Display Message, Log To File, MessagePad Message, and Run SQL Command. Simply specify one or more variable names in the body of the action and LogWatcher will substitute the actual fields from the event log. See the tutorial in the help file for more info.

Q: How do I get the event log message text into a database?

A: You can use the new system variables with the Run SQL Script action. There are variables for event log message text, plus the other event log fields. Variables can be used in Send E-mail, Display Message, Log To File, MessagePad Message, and Run SQL Command. Simply specify one or more variable names in the body of the action and LogWatcher will substitute the actual fields from the event log. See the tutorial in the help file for more info.

Q: What's a variable, and how do I use them?

A: Variables are new in LogWatcher 1.1. Certain actions ( Run SQL Script, Send E-mail, Log To File, Send MessagePad message ) support variables in the script or message body. There is one variable for each field in an event log, plus a few others for storing the event log name, and some counters. For example, to send the NT event message text in an e-mail, just define the message body like this:

We got %EVENT_TEXT% on server %EVENT_SHORTNAME% at %EVENT_TIME%.

And the actual e-mail you receive will look like this:

We got [The actual event text] on server [The computer\logname] at [The event's date and time]

This makes it very simple to build watches and actions. See the tutorials in the help file for more on variables.

Q: Certain actions give me the 'A required privilege was not held by the client'. What does this mean?

A: You will typically get this when trying to read or clear the Security log on other machines. This has to do with the way auditing privileges are granted by the system. You need to grant the 'Manage Auditing and Security Log' privilege to the account that LogWatcher runs under. For a detailed discussion of this, see the help file.

Q: How can I merge two LogWatcher application files together?

A: You can open up both LogWatcher files in separate instances, and use copy/paste on any of the tree elements to move them across, or you can just drag them across to the other application with the mouse.

Q: How do Copy/Paste work?

A: You can copy nearly any of the tree elements to the clipboard, and paste them in later. The includes entire watch groups, tasks, individual actions, and keys. You can even copy an entire file with everything under it, and paste it in again, although this is more useful for combing separate LogWatcher files together.

Q: How does Drag/Drop work?

A: Drag/Drop works just like Copy/Paste. You can drag certain items in the tree to create copies, or drag them to other instances of LogWatcher to combine files together.

You can also drag events from the Event Log View over to watch groups on the tree control to add a new event search key. Text logs can be dragged from the Windows Explorer and dropped on LogWatcher. Files with an lgw extension will be opened, but files with a txt or log extension will be added to the tree as new log files.

Q. How do I monitor the text log created by an application that creates a new file every day?

A: Use the Time-Formatted filename option to specify a template for the filename. LogWatcher will take care of looking up the right file every day. For example, suppose an application creates files like this:

19991223.log, 19991224.log, 19991225.log, ... ( yyyymmdd.log )

You can use the template "%Y%m%d.log", and LogWatcher will create the correct filename every day and always scan the correct one.

Q: Can I test a task without having to wait for an event to occur?

A: If you right click on the watch group in the tree control, you can choose Test the Task Actions. You can also test the task by right clicking on the task itself if you expand the watch group, or from within the Task configuration dialog.

Q: When I select computers in the Network Browser, it sometimes takes a long time for LogWatcher to connect or report an error. Why is this?

A: This can be one of several situations.
If the computer you are trying to connect to is not a Win NT machine, it will not allow you to connect, and LogWatcher will eventually report an error. Sometimes, the network list gets stale, and if the computer you are selecting is not actually turned on, LogWatcher will time out trying to connect. Windows NT security can be configured to an extraordinary degree. Check the account that LogWatcher is running under, and check the domain user privileges. If the network is up and running, LogWatcher should not have any problem connecting in less than a few seconds at most.

Q: Can a watch group have more than one key?

A: Yes. If a watch group has more than one key, then ANY of the keys will trigger the task for that group, but only once per event. If you want different keys to trigger different actions, then put them in different watch groups. For example, suppose you have a single watch group for an NT Application event log, and you add two keys, one looking for any Error events, and another looking for event ID 101. If an event shows up that only matches one key, the actions will be launched once. But if an event shows up that matches both keys, the actions will still only be launched once for this event.

Q: I have configured LogWatcher to search for a text key, but it finds log events that aren't errors. What am I doing wrong?

A: Make sure your key is specific enough. You might think a text key like "error" will find all the lines like "An error has occurred", but it will also find lines like "There was no error". Make your key as specific as you can, or use the second text field to refine it.

Q: I am setting up a watch group for a text log to look for two pieces of text. What is the difference between adding a second text key, versus using the second field in the first text key?

A: A text key is one or two pieces of text in some combination. Each key in the watch group is applied to every line in the log that LogWatcher reads out. So, if you want to look for lines with BOTH pieces of text occurring, use one key with two fields, and make sure you specify 'Both Key 1 and Key 2'. However, if you want to look for any lines that contain either of two keys, you can define two separate keys with one field each, OR, you can define a single key with two fields, and make sure you specify "Either Key 1 or Key 2'. This second option makes for a cleaner tree.

Q: What is the difference between Mark and Fast Mark, and what are they for?

A: A Mark is simply something you can append to a log you are monitoring to help you bookmark a point in time, add a reminder or an annotation. It is particularly helpful for large or fast changing logs, but you can do it whenever you want. When you mark the log, you will be asked to enter some text. If you are marking a text log, the mark text is appended to the end of the file. If you are marking an event log, an Event ID ( 100 ) for the Source "LogWatcher" is added, and your text is stored as an insertion string. Note that you can only write to NT Application logs: Security and System are restricted. A Fast Mark is just a predefined Mark you can add without having to type it in. It is configurable under the LogWatcher settings.

Q: I have added a watch group complete with keys and a task, and I can see the events in the log, but LogWatcher isn't picking them up. What is going on?

A: Make sure the Scanner is turned on. The tray icon ( in the lower right corner of the screen ) should be green, and should say "Acrasoft LogWatcher - Running" when you put the mouse over it. If the event occurred before you added your key(s), LogWatcher may have already moved past that point in the log. You will have to wait for the next occurrence of the event.
If you have recently restarted LogWatcher, you may have the settings configured to "always scan from the ends of logs". This will cause LogWatcher to ignore everything that occurred before the startup time.

Q: How do I know what all the different NT Event IDs mean, and which ones I should check?

A: Sadly, there is no master list, because every application defines its own IDs. The best you can do is look at the Event Type ( Errors in red, and Warnings in yellow are usually bad ), and double click them to see what they mean. Then you can identify which ones are important and worth watching, but depending on the application, you may end up making a technical support call to the software vendor to figure out what a particular event means.

Q: I can't find a computer in the Network Browser, so how do I choose it?

A: This is typically caused by incorrect or incomplete network settings, and is not unusual. You can press the "Find Unlisted Computer" icon, or press F9 in the Network Browser, and manually type in the missing computer name.

Q: I am setting up a watch group for an NT event log, and I am ready to define a key. How many of the fields do I need to specify?

A: An NT event log key normally contains six fields: the Event Type, the Source, the Category ID, the Event ID, the User, and the Computer. In most cases, the Source and the Event ID are all that is required to uniquely define an event. For example, event ID 6005 from the EventLog source is always "The Event log service was started". However, and this is something you need to check, some applications that generate events use the same event source and ID, but change the text of the message. In this case, use the seventh field, and look for an actual piece of text.

Q: LogWatcher won't let me scroll to the start of an NT event log, it keeps stopping at a record other than 1 (one). What's going on?

A: NT Event Logs can get quite large, and depending on the settings, the event log service will 'roll off' the old events and start a new log. In this case, the first event in the new log will be something other than 1 (one). If you want to see these old events, use the NT event viewer.

Q: Why can't I read Security logs on other machines?

A: This has to do with the way auditing privileges are granted by the system. You need to grant the 'Manage Auditing and Security Log' privilege to the account that LogWatcher runs under.

Q: I cannot Mark the NT System or Security logs. Why is this?

A: Windows NT requires that every application that wants to write something to an NT event log must register as a source for that log. However, by default, it allows any application to write to the Application log, which is where most of the action on a computer takes place anyway. Thus, you are restricted from writing marks to the System and Security logs, even on your own computer, but the Application log on ANY computer is wide open, unless prohibited by user security settings.

Q: Why does LogWatcher take forever to update when I click on some NT event logs?

A: When LogWatcher reads records from an NT Event log, some records may come with binary data attached. LogWatcher doesn't need this data, but it must read it as part of the log anyway. Unfortunately, some events can provide a HUGE amount of this data, in which case LogWatcher has to make several network trips to get it all. For example, DrWatson dumps generate a single event log record, and dumps the state of the machine to a text file, the infamous DrWatson.log. However, it also attaches the dump text to the event record as binary data, which makes a very large event log record. If you are trying to read a computer with several of these events, you will see a delay before LogWatcher displays them.

Q: When I double click on certain events, LogWatcher says "The description EventID (x) for Source (y) could not be found. It contains the following insertion strings". What does this mean?

A: Any application that wants to log events to a Windows NT event log must register itself in the Windows Registry as being an event source for that log. One of the required registry settings is a path to a file that stores the Event translation information. Quite often, this is just the application exe file, but it could be a separate resource dll. If an application does not correctly register a translation file, LogWatcher will be unable to locate it, and all it can do is report the problem, including the event Source, the event ID, and the insertion strings.

Got any questions you need answering? Drop us a line at our support address. You might also look in the help file for Tips and Hints for lengthier backgrounders.