# Configuration file for win_eventlog # ------------------------------------------------------------------- # Name of the ULS teststep where the script runtime information is found # (that is not the teststep where the events are found, though). IDENTIFIER = _win_eventlog # ------------------------------------------------------------------- # Where to place log files and files with intermediate results. # # You MUST specify the full path! WORK_DIRECTORY = C:\temp\win_tools # ------------------------------------------------------------------- # Name and port of the ULS-Server. # If not set, nothing is transferred to ULS from this script. # But the ULS value files are always placed in the ULS_DIRECTORY # (So the ULS value files may be processed by another script). # That is the ULS-server in the test environment ULS_SERVER = 10.1.2.3:11975 # ------------------------------------------------------------------- # Directory, where to write the ULS value files. ULS_DIRECTORY = C:\TEMP\ULS # ------------------------------------------------------------------- # Enter the complete path to the send2uls.exe executable. # If not set, nothing is transferred to ULS. # The files are always placed in the ULS_DIRECTORY. # # You MUST specify the full path! SEND2ULS = C:\admin\win_tools\send2uls.exe # SEND2ULS = C:\admin\win_tools\send2uls.exe -S # ------------------------------------------------------------------- # The name of the server to be used in ULS # You only need to set this, if you have a cluster and # you want to use a clustername instead of the real # computername, which is the default. # ULS_HOSTNAME = WINXP123 # ------------------------------------------------------------------- # Section to be used in the ULS ULS_SECTION = Windows # Leading expression for ULS teststep. This expression is shown # right below the ULS_SECTION defined above. # The name of the eventlog is appended, separated by ':' ULS_TESTSTEP_LEAD = eventlog # # # # # # Example: Check the eventlog "Security" of computer "win5387" # # win5307 # Windows # eventlog # Security # ------------------------------------------------------------------- # Settings for checking the eventlogs # Filtering # # ------------------------------------------------------------------- # EVENTLOG # # This is/are the eventlogs to scan. Comma separated. # An empty list means all available event logs on the machine, # except those probably defined in EVENTLOG_SKIPLIST. # # The may contain wildcards * and ?, it is tested by using -match # # EVENTLOG_LIST = ,,... # EVENTLOG_LIST = Application, Internet Explorer, Security, System, Windows PowerShell, ... # EVENTLOG_LIST = Application,System # EVENTLOG_LIST = windows powershell # But not these eventlogs. # EVENTLOG_SKIPLIST = ,,... # EVENTLOG_SKIPLIST = Internet Explorer,Microsoft-Windows-Forwarding # ------------------------------------------------------------------- # TYPE # # You can define simple text pattern, comma separated, and only those # event log entries that contain these expressions will be sent to the ULS. # All are checked consecutively. # All matching is done case insensitive. # The expression is tested exactly (no wildcards). # Only these types, or all if empty. # ERROR,WARNING,INFORMATION,SUCCESS,FAILURE # An empty list means everything # TYPE_LIST = ,,... # TYPE_LIST = information , error # But not these types # TYPE_SKIPLIST = ,,... # TYPE_SKIPLIST = information # ------------------------------------------------------------------- # SOURCE # # The expression is tested exactly (no wildcards). # # Process these sources, or all if empty, e.g. # MSSQLSERVER,APCPBEAgent,F-Secure Anti-Virus # # An empty list means everything # SOURCE_LIST = , , ... SOURCE_LIST = # Skip any events generally from these sources. # An empty list means nothing (is skipped), e.g. # MSSQLSERVER,APCPBEAgent,F-Secure Anti-Virus # # SOURCE_SKIPLIST = , , ... # ------------------------------------------------------------------- # SOURCE + EVENT_ID # # Only! these source and event-id combinations are processed, # or all if empty. So, if you define any here, then any # defined SOURCE_ID_LIST_* have no effect. # # The and expressions are tested exactly (no wildcards). # # SOURCE_ID_LIST_010 = , # SOURCE_ID_LIST_020 = # ... # List one or many combinations of sources and event IDs that are to be ignored. # Event IDs may appear for different sources, so specify always the combination # of source AND event ID. SOURCE_ID_SKIPLIST_010 = Internet Explorer , 1234 # SOURCE_ID_SKIPLIST_020 = , # SOURCE_ID_SKIPLIST_030 = , # ... # ------------------------------------------------------------------- # SOURCE + EVENT_ID + MESSAGE # # Skip entries with matching combination of SOURCE, EVENT_ID, and a # simple (not regular) text expression, case insensitive and may # contain wildcards, within MESSAGE. # There must only be ONE definition for the same source and event_id combination. # You may specify several separated by a '|' (pipe). # # Be generally careful with umlaute!!! # # The and expressions are tested exactly (no wildcards). # The expression may contain wildcards * and ?, # it is tested by using '-match'. # # The event entry is skipped if an # if ( -match ) is true. # # SOURCE_ID_MESSAGE_SKIPLIST_xxx = ,, SOURCE_ID_MESSAGE_SKIPLIST_010 = Service Control Manager,7036,Beendet SOURCE_ID_MESSAGE_SKIPLIST_015 = TestWinTools, 1111, bbbbb|aaaaa # SOURCE_ID_MESSAGE_SKIPLIST_017 = halali , 111 , jo, man, so ist das # SOURCE_ID_MESSAGE_SKIPLIST_020 = ,, # SOURCE_ID_MESSAGE_SKIPLIST_030 = ,, # ... # ------------------------------------------------------------------- # Concealing # # concealing of event entry bursts: # A source+id combination, which has made it through the filters above, # is sent to ULS at its first occurrance. The following reoccurring equal # source+id events will be accumulated for a CONCEAL_FOR time. # If no further source+id events have occurred during the conceal time: # the concealing for that source+id event is reset # If any further source+id events do have occurred: # they are accumulated and # a summary is sent to ULS after the CONCEAL_FOR time and # concealing is reset for that source+id event. # # BUT REMEMBER: The same source and event-id combinations may have # different messages! They are NOT covered separately. You will # only get the message of the last source+id event in the summary. # Specify the CONCEAL_FOR time in minutes CONCEAL_FOR = 60 # CONCEAL_FOR = 20 # ------------------------------------------------------------------- # Timestamp evaluation # # Set this property to 1 if you want to use the timestamp of # the event entry as timestamp for the value in ULS. # If not set, the current(!) timestamp is used to save all # eventlog entries to ULS. USE_EVENT_TIMESTAMP = 1 # ------------------------------------------------------------------- # Formatting # # EVENT_FORMAT # # If no formatting is defined, a default will be used. # These are the placeholders: # __TYPE__ __SOURCE__ __EVENT_ID__ __TIME_GENERATED__ # __MESSAGE__ __USERNAME__ __CATEGORY__ __NL__ # # Use __NL__ to specify a newline # EVENT_FORMAT = __TIME_GENERATED__ __TYPE__, Quelle: __SOURCE__, ID: __EVENT_ID__: __NL____MESSAGE____NL__----- EVENT_FORMAT = __TIME_GENERATED__ __TYPE__, Quelle: __SOURCE__, ID: __EVENT_ID__: __NL____MESSAGE__ # ----- # TIME_GENERATED_FORMAT # # Customize the appearance of the date and time within the EVENT_FORMAT. # The conversion of the date and time is done in PS by using: # get-date -format $time_generated_format $event_log_entry.TimeGenerated # format example # Default (iso-like) : yyyy-MM-dd HH:mm:ss (2013-06-13 19:23:17) # FullDateTimePattern: dddd, MMMM dd, yyyy h:mm:ss tt (Monday, May 28, 2012 11:35:00 AM) # German : dd.MM.yyyy HH:mm:ss (13.06.2013 19:23:17) # TIME_GENERATED_FORMAT = dd.MM.yyyy HH:mm:ss