Skip navigation
6842 Views 8 Replies Latest reply: Aug 3, 2012 8:19 AM by Oscar Segarra RSS
Snake-BIS Rank: Green Belt 97 posts since
Nov 26, 2009
Currently Being Moderated

Jan 3, 2011 8:58 AM

What is the zWinEventlogClause property?

Hello,

 

what is the use of the zWinEventlogClause property? I couldn't find it on the documentation and I'm not sure if it's from a ZenPack.

 

Thank you.

 

Regards,

 

Richard

  • phonegi Rank: Brown Belt 446 posts since
    Apr 15, 2009
    Currently Being Moderated
    1. Jan 4, 2011 12:13 AM (in response to Snake-BIS)
    Re: What is the zWinEventlogClause property?

    I answer these questions with the following script that I put in my /home/zenoss/bin directory named zfp:

     

    #! /usr/bin/env bash
    SEARCH_STR=$1
    if [[ -n $2 ]]; then
       EXT=$2
    else
       EXT=py
    fi
    
    if [ "$EXT" = "js" ]; then
       FILES=$(find $ZENHOME/Products -name "*.$EXT")
       for FILE in $FILES; do
          if [[ (! "$FILE" =~ compiled\\.js$) && (! "$FILE" =~ debug\\.js$) && (! "$FILE" =~ -min\\.js$)  ]]; then
             grep --with-filename --color "$SEARCH_STR" $FILE
          fi
       done
    else
       find /opt/zenoss/Products -name "*.$EXT" | xargs grep --with-filename --color "$SEARCH_STR"
    fi
    
    

     

    zfp stands for zenoss find products. It searches the $ZENHOME/Products directory for files containing a specific string. The first argument is the search string. The second argument is the file extension to search. It defaults to py. I entered zfp zWinEventlogClause and got the following:

     

    /opt/zenoss/Products/ZenModel/migrate/WinEventlogClause.py:__doc__ = """ Add zWinEventlogClause to DeviceClass.
    /opt/zenoss/Products/ZenModel/migrate/WinEventlogClause.py:        if not dmd.Devices.hasProperty("zWinEventlogClause"):
    /opt/zenoss/Products/ZenModel/migrate/WinEventlogClause.py:            dmd.Devices._setProperty("zWinEventlogClause", '', type="string")
    /opt/zenoss/Products/ZenWin/zeneventlog.py:                          help="Override the device's zWinEventlogClause" \
    /opt/zenoss/Products/ZenWin/zeneventlog.py:        andClause = self._taskConfig.zWinEventlogClause
    /opt/zenoss/Products/ZenWin/zeneventlog.py:            There was an error found while processing the zWinEventlogClause
    /opt/zenoss/Products/ZenWin/WMIPlugin.py:        'zWinEventlogClause',
    /opt/zenoss/Products/ZenWin/services/EventLogConfig.py:                                 'zWinEventlogClause')
    
    

     

    The fact that it occurs in a ZenModel/migrate script shows that it is indeed part of Zenoss, not a ZenPack. Examining the other three files seems to indicate that this almost acts like a SQL WHERE clause that will be appended to a WMI query.

  • rklingaman Rank: White Belt 38 posts since
    May 13, 2010
    Currently Being Moderated
    3. Feb 9, 2011 1:42 PM (in response to Snake-BIS)
    Re: What is the zWinEventlogClause property?

    Have you found the correct syntax for this field. It looks to be a WBEM query just having trouble figuring out exactly what they expect.

  • Oscar Segarra Rank: White Belt 8 posts since
    Feb 15, 2012
    Currently Being Moderated
    5. Feb 16, 2012 4:07 AM (in response to Snake-BIS)
    Re: What is the zWinEventlogClause property?

    Hi.

     

    There are three parameters that affect windows Eventlog monitoring feature:

     

    zWinEventLog: true/false

    zWinEventLogClause: I will explain it below

    zWinEventLogMinSecurity: <<look at http://community.zenoss.org/thread/4896?start=0&tstart=0>>

    #

     

    Internally Zenoss executes the following WMI query when zWinEventlog is set to "true":

     

    SELECT * FROM __InstanceCreationEvent
    WHERE TargetInstance ISA 'Win32_NTLogEvent'
    AND TargetInstance.EventType <= zWinEventLogMinSecurity
    AND zWinEventLogClause

     

      

     

    Win32_NTLogEvent is defined as follows (http://msdn.microsoft.com/en-us/library/windows/desktop/aa394226(v=vs.85).aspx):

     

    class Win32_NTLogEvent
    {
      uint16   Category;
      string   CategoryString;
      string   ComputerName;
      uint8    Data[];
      uint16   EventCode;
      uint32   EventIdentifier;
      uint8    EventType;
      string   InsertionStrings[];
      string   Logfile;
      string   Message;
      uint32   RecordNumber;
      string   SourceName;
      datetime TimeGenerated;
      datetime TimeWritten;
      string   Type;
      string   User;
    };

     

    You can use any of the previous fields.

     

    If we wish to detect/monitor events having event_id 1111 or 3364 at eventlog, we must set zWinEventLogClause parameter to (TargetInstance.EventIdentifier=1111 OR TargetInstance.EventIdentifier=3364).

     

    System will execute the following working query:

     

    SELECT * FROM __InstanceCreationEvent
    WHERE TargetInstance ISA 'Win32_NTLogEvent'
    AND TargetInstance.EventType <= 2

    AND (TargetInstance.EventIdentifier=1111 OR TargetInstance.EventIdentifier=3364);

    

     

    I hope this helps.

  • rklingaman Rank: White Belt 38 posts since
    May 13, 2010
    Currently Being Moderated
    6. Feb 16, 2012 6:20 PM (in response to Oscar Segarra)
    Re: What is the zWinEventlogClause property?

    Great information and working good although Im running into the following bug explained in this microsoft article:

     

    http://support.microsoft.com/default.aspx?scid=kb;en-us;2404366&sd=rss&spid=3198

     

    This happens when I use TargetInstance.EventIdentifier=1111 OR TargetInstance.EventIdentifier=3364. If I use just one EventIdentifier it works fine.

  • Oscar Segarra Rank: White Belt 8 posts since
    Feb 15, 2012
    Currently Being Moderated
    7. Feb 17, 2012 7:08 AM (in response to rklingaman)
    Re: What is the zWinEventlogClause property?

    Hi,

     

    As you have said... this is a "windows problem" and it is out of the zenoss scope.

     

     

    May be cleaning some old events at windows event log can help to reduce memory consumption.

     

    Oscar.

  • Oscar Segarra Rank: White Belt 8 posts since
    Feb 15, 2012
    Currently Being Moderated
    8. Aug 3, 2012 8:19 AM (in response to Snake-BIS)
    Re: What is the zWinEventlogClause property?

    Hi,

     

    I think question has been answered, can you mark it as answered ?

     

    Please contact me if you need further assistance

     

    Thanks a lot!!

More Like This

  • Retrieving data ...

Legend

  • Correct Answers - 4 points
  • Helpful Answers - 2 points