Monitoring Windows events is an essential aspect of maintaining the health and performance of Windows devices and keeping them running smoothly. You can monitor Windows events using Atera's threshold profiles to receive real-time alerts when specific events occur.
Note:
- Windows event alerts can't be snoozed
- Alerts generated by Windows events do not auto-resolve
- One alert is generated for each unique combination of Event ID and Event Source within a 60-minute time period.
Windows Event Log overview
What is the Windows Event Log?
The Windows Event Log is a detailed record of events that occur within Windows operating systems, including system, application, and security events.
Event ID and Source explained
Each Windows event has both an Event ID and a Source Name.
- Event ID: A unique identifier for each recorded event in the Windows event log, providing information on the type or action of the event.
- Source Name: Indicates the software component or application that generated the event which helps in determining its root cause.
Together the Event ID and source provide important contextual information such as the event type (information, warning, critical, error), origin, and more. For example, Event ID 4624 is logged when a user successfully logs on to a Windows device. However, this event can be logged both when a user logs into a Windows computer (source = Microsoft Windows security auditing) and when the login is performed remotely via Remote Desktop Protocol (source = Microsoft Windows TerminalServices-LocalSessionManager).
Viewing Windows Event information
The Event Viewer tool can be used to view information about Windows events, including the Event ID and Source mentioned above, as well as the event level, description, time the event occurred, and more. See these instructions to find the Event ID and/or Source Name for the relevant event in the Event Viewer.
Monitor Windows events by log category
Windows organizes event logs by category to help users quickly locate and manage relevant events. You can configure a Windows threshold item in Atera to monitor all Windows events within the following categories/logs.
- Events Applications
- Events Security
- Events Setup
- Events Systems
Configure a threshold item to monitor events by Windows log category
1. From Admin (on the sidebar), click Thresholds.
The Threshold Profiles page appears.
2. Select the profile to which you want to add an item for monitoring Windows events, or add a new profile. The Edit Threshold page appears.
3. Click New item. The Threshold item window appears. Click the Custom tab.
4. You can give the threshold item a 'friendly name', which will appear on the alerts (optional).
5. From the Category dropdown, choose the Windows event log category you want to monitor, such as 'Events Applications', 'Events Security', 'Events Setup', or 'Events System'. For this example we have selected 'Events Security.'
6. Choose the 'Event Severity' that matches the Microsoft event level for the category you want to monitor. For example, if you want to receive alerts for all 'Critical' events in the Windows Security log, select the 'Critical' severity level.
7. To exclude specific Windows events within this category from generating alerts in Atera, add their corresponding Event IDs to the threshold item under 'Events to Exclude.' This will help you filter out irrelevant or low-priority events.
Note: When configuring a threshold item for Windows events by log category, it will collect all event logs from the agent within that log category and as such, may generate numerous alerts. To receive alerts for specific events only, select the 'Events by Source' category in the threshold item window. This will allow you to monitor events based on their source, rather than by log category, and enable more granular and targeted alerts.
Monitor specific Windows events by source and/or Event ID
Filtering by source/Event ID
How it works
You can configure a threshold item in Atera to trigger an alert for a Windows event using the Windows Event ID, Event source, or a combination of both.
Event ID: When you set up an alert based on Event ID, you will be alerted whenever a Windows event with the specified ID(s) occurs, regardless of the source. This is useful when you want to monitor specific events that share a common Event ID, regardless of where they come from.
Source: If you set up an alert based on Source Name, you will be alerted whenever a Windows event occurs from the specified source(s), regardless of the Event ID. This is useful when you want to monitor events from a specific source, such as a specific application or component.
Source and Event ID: When you set up an alert based on both the Source Name and Event ID, you will be alerted only when a Windows event with the specified ID occurs from the specified source. This is useful when you want to monitor specific events from a particular source, rather than all events that share a common Event ID.
How to find the Source Name and Event ID
To find the Source Name and Event ID for the Windows event:
1. Open the Windows Event Viewer > Navigate to the relevant built-in log or custom log.
2. Click the Windows event you want to monitor from the list.
Below the list of Windows events you will see additional details about the event such as the Event ID, Log name, Event Level etc in the General tab.
3. Click the Details tab and then XML view.
The 'Provider Name' in the XML view corresponds to the 'Source Name' field in Atera while the 'EventID' in the XML view corresponds to the 'Event ID' field in Atera.
4. Copy the Provider Name and EventID from the XML view and paste them into the corresponding fields in the Threshold Item window in Atera.
Alert Severity for Events by Source
Atera offers flexible options for configuring a threshold item to display alerts for Windows events.
- Windows Event Severity: Determines when to trigger an alert for the event based on the Microsoft event level
- Alert Severity: The alert severity that will be presented in Atera
The following Microsoft event levels correspond to the 'Windows Event Severity' levels in Atera:
Microsoft Event Level | 'Windows Event Severity' in Atera |
Information | Information |
Warning | Warning |
Critical and Error | Critical |
Note: The 'Alert Severity' field does not have to match the 'Windows Event Severity' field — This allows you to customize the severity level of the alert to better suit your needs and priorities.
Configure a threshold item to monitor Windows events by source
1. From Admin (on the sidebar), click Thresholds.
The Threshold Profiles page appears.
2. Select the profile to which you want to add an item for monitoring a specific Windows event, or add a new profile. The Edit Threshold page appears.
3. Click New item. The Threshold item window appears. Click the Custom tab.
4. Under Category, select Events by Source. Next, under Source Folder, select a Windows log category from the dropdown menu, or select 'Other' to add a Custom Folder.
If you selected 'Other' to add a Custom Folder/Log, you must enter the Custom Folder/Log name. This can be found by taking the following steps:
- Open the Windows Event Viewer > right click on the events log > click Properties.
- The Log Properties window opens. Copy the 'Full Name' of the Log.
- Paste the name into the Custom Folder field in Atera.
6. Select the 'Windows Event Security' level for the Windows event from the dropdown menu.
7. Define the 'Alert Severity' level for the corresponding alert to be generated in Atera. You can choose to match the Microsoft event level or override it with your preferred alert severity level.
8. Enter the Source Name and/or Event IDs for the Windows event you want to monitor. To find the Source Name and/or Event ID, follow these steps
Note: You can add multiple Source Names, Event IDs, or a combination of both by separating each with a comma.
9. Attach an auto-healing script (optional). Learn more
10. Click Add.
You're all set! Any generated, Windows event-related alerts will appear on the Alerts page and in your dashboard.