- 8 minutes to read

Monitoring the Windows Server Event Log

Proactively monitor Windows Event Logs on your servers with the Nodinite Windows Server Monitoring Agent. Configure custom filters, receive actionable alerts, and leverage real-time metrics to ensure system health and compliance.

✅ Real-time monitoring of all Windows Event Logs
✅ Customizable filters for log source, level, provider, event ID, and content
✅ Actionable alerts and Remote Actions within role-based Monitor Views to resolve issues fast
✅ Visualize event log data with charts and dashboard widgets

Event Log items as Resources
Example list of monitored 'Event Log configurations' as resources in a Monitor View.

Overview: How Event Log Monitoring Works

Event Log monitoring helps you track important events on your Windows Servers and alert you when specific issues occur. Here's the basic concept:

graph LR A["Windows Server<br/>(Event Log)"] -->|monitored by| B["Event Log<br/>Configuration"] B -->|applies filters| C["Log Name, Level,<br/>Provider, Event ID,<br/>Content"] C -->|evaluates to| D["Resource State<br/>(OK / Error / Warning)"] D -->|displayed in| E["Monitor Views<br/>(Dashboard)"] E -->|actions| F["Clear Events<br/>List Events"]

In simple terms:

  1. You create an Event Log Configuration that specifies what to monitor (which log, what severity, which sources)
  2. The Nodinite agent checks the Event Log based on your configuration
  3. Each configuration appears as a Resource in your Monitor Views
  4. The resource shows a state (OK if no matching events, Error if events match your filter)
  5. You can take actions like clearing old events or viewing event details

Configuration Workflow

Here's how to set up Event Log monitoring:

graph TD A["Open Windows Server<br/>Configuration"] -->|click Event Log tab| B["Add Event Log Entry"] B -->|configure| C["Basic Settings<br/>(Name, Log, Description)"] C -->|configure| D["Source Filters<br/>(Severity Levels)"] D -->|configure| E["Providers & Event IDs<br/>(Optional)"] E -->|configure| F["Content Filters<br/>(Optional)"] F -->|configure| G["Advanced Options<br/>(Lookback time)"] G -->|save| H["Monitoring Begins"] H -->|appears as| I["Resource in Monitor View"]

Key Concepts

Resources and Categories

Monitored Event Log configurations are displayed within Nodinite as Resources. For example, if you have 2 Windows Server configurations with 2 and 3 Event Log configurations, you will have 5 'Event Log' resources in Nodinite.

  • Resource Name: Matches the Event Log configuration name
  • Category: All Event Log configurations belong to the "Event Log" category for easy filtering in Monitor Views
  • Application: Named after the Windows Server's Display Name from the configuration

Categories
Example of the Event Log category as a filter in a Monitor View.

State Evaluation

Each monitored Event Log configuration is evaluated into a state:

State Meaning Example
OK No matching events found All services running normally
Error One or more matching events found Critical errors detected
Warning Warning condition detected Not commonly used (reserved for future use)
Unavailable Configuration cannot be evaluated Server unreachable or invalid configuration

You can customize state evaluation for individual resources using the Expected State feature.

Note

Depending on the user-defined synchronization interval set for the Windows Server Monitoring Agent, there might be a delay before Nodinite Web Client/Monitor Views reflects changes. Click the Sync All button to force resynchronization.

Sync
Option to force Nodinite to request a resynchronization with the monitoring agent.

Available Filter Options

When creating an Event Log configuration, you can apply the following filters to focus on the events that matter to you:

Filter Description Example
Log Name Which Windows Event Log to monitor Application, System, Security
Log Level Severity of events to include Information, Warning, Error, Critical
Provider Source or component that logged the event SQL Server, IIS, Custom Application
Event ID Specific event numbers to monitor 1000, 2001, 4625
Content Text or pattern matching in event data Error keywords, specific values (exact match or RegEx)

Understanding Event States

State Evaluation for the Event Log

Taking Action on Event Logs

When events match your filters, you can take immediate action. The Event Log category supports these remote actions:

graph LR A["Event Log Resource<br/>in Error State"] -->|Action Menu| B{Choose Action} B -->|Clear| C["Remove old events<br/>by timestamp"] B -->|List Events| D["View matching<br/>event details"] C -->|Result| E["Events cleared from<br/>monitoring"] D -->|Result| F["Modal shows filtered<br/>events with details"]

Available Actions

For the Event Log category, you can perform the following Remote Actions:

  • Clear - Remove old events from consideration
  • List Events - View detailed information about matching events

Detailed State Evaluation

For the Event Log category, the monitored state evaluates as follows:

State Description Available Actions
Unavailable Server can't be reached or configuration is invalid Review prerequisites
Error Event Log contains one or more matching events Clear, List Events
Warning Warning condition detected None (Reserved for future use)
OK Event Log contains zero matching events Clear, List Events

Actions

Clear

The Clear action removes old events from monitoring consideration. This is useful for resetting the monitoring state after acknowledging existing issues.

How it works:

  • A timestamp filter is applied to exclude events older than the clear date
  • The clear date is set to the moment you click the Clear action (or when manually edited)
  • This effectively "resets" the monitoring, so only new events matching your filters will be detected

To clear events:

  1. In a Monitor View, find your Event Log resource
  2. Click the Action button
  3. Select Clear from the menu

Clear Menu Action
Example to ignore previous Log Events using the 'Clear' action.

You will be prompted to confirm the operation:

Clear intent modal
Example of the 'Clear' prompt.

Upon successful completion:

Clear Success
Example of a successful clear operation.

List Events Action

The List Events action displays all events matching your configured filters. This helps you see exactly what triggered the Error state and investigate issues in detail.

To view matching events:

  1. In a Monitor View, find your Event Log resource in Error state
  2. Click the Action button
  3. Select List Events from the menu

List Events Menu Action
Open filtered Log Events modal, using the 'List Events' action.

A modal appears showing all matching events:

List Events modal
Example of the 'List Events' modal.

Viewing event details:

You can expand any event entry to see more information:

Details for Log Event

To view the raw XML structure of an event, click the View as XML tab:

View as XML
Logged event as XML.

At the bottom of the modal, you can review the configuration settings used for this Event Log (read-only):

Details
Example of settings for this Event Log Configuration.

Configuring Event Log Monitoring

To enable monitoring and provide end-users access to the Event Log on the target Windows Server, create one or more configuration entries. Use the Remote Configuration to manage the Event Log configuration entries.

Configuration Overview

The configuration is organized into several sections:

graph TD A["Event Log Configuration"] -->|Basic| B["Name, Description,<br/>Log Name"] A -->|Source| C["Severity Levels,<br/>Providers,<br/>Event IDs,<br/>Content Filters"] A -->|Options| D["Log Text Settings"] A -->|Advanced| E["Lookback Time,<br/>Clear History"] B -->|Result| F["Ready to Monitor"] C -->|Result| F D -->|Result| F E -->|Result| F

Event Log Tab

Click the Event Log tab to manage Event Log-related monitoring options.
Event Log tab
Example of the 'Event Log' configuration tab.

Add an Event Log Entry to monitor by clicking the Add button:
Add Event Log Entry

Expand the accordion to enter options:

  • Enable Event Log Monitoring for this configuration - When checked, monitoring is enabled. Otherwise, it is disabled.

Event Log Basic Tab

Click the Basic tab to manage Event Log-related monitoring options.
Event Log Entry

  • Event Log Configuration Name - The 'Resource' name as presented in the Monitor Views for end-users.
  • Description - User-friendly short description for this configuration.
  • Log Name - The name of the 'Windows Event Log' (Application, System, Security, ...) from where to look for events according to user-defined options.

Event Log Source Tab

Click the Source tab to manage what to include from the Event Log.
Event Log Source tab
Example of the 'Event Log Source' tab.

  • Information - When checked, include Informational events
  • Warning - When checked, include Warning events
  • Error - When checked, include Error events
  • Critical - When checked, include Critical events
Include the following Providers

You can filter on named providers. There can be any number of providers added to the list.

Include Providers
Option to include Log Events from the specific provider.

Providers not listed are excluded from monitoring.

Include the following Event IDs

You can filter on specific Event IDs. There can be any number of Event IDs added to the list.

Include Event Id
Example of the option to include a specified Log Event Id.

Note

Event IDs not part of the list are NOT monitored.

Include matches from the 'EventData' data structure

You can filter on specific content using an exact string match or a regular expression (RegEx). There can be any number of such filters.
Content based filter

Click the Add button to add an empty configuration.
Empty configuration

Click the chevron icon to expand the accordion:
Expanded empty configuration

  • Filter by Name attribute
    • Optional: Filters by the 'Name' attribute on the 'Example Value' element.
    • NOTE: This is case sensitive.
  • Operator - The operator used to compare
    • Equals: Exact match. Uses XPath for better performance and less overhead.
    • RegEx: More advanced options but less performant.
  • Value to match - Filters by the value of the 'Example Value' elements.

Event Log Options Tab

Click the Options tab to manage additional options for monitoring the Event Log.
Event Log Options Tab
Event Log options.

  • Set 'Log text' from last Event Log entry - When checked, the 'Log Text' for the monitored resource comes from the oldest event record in the filtered list.

Event Log Advanced Tab

Click the Advanced tab to manage additional options for monitoring the Event Log.
Event Log Advanced Tab
'Advanced' Event Log options tab.

  • Max lookback time - This input determines the maximum amount of time in days to look back in the event log.
  • Clear Settings - List of Windows Servers with a Clear Date and Time set. NOTE: The match is based on the address. If you change the address, the clear settings will be removed unless you update both the server and clear settings simultaneously.

    Whenever a User, or the system, executes any of the Clean IIS Log Files.

Summary & Best Practices

Getting Started Checklist

To start monitoring Event Logs on your Windows Servers:

  1. Configure Event Log Entries - Create at least one configuration per server that specifies which log to monitor
  2. Set Appropriate Filters - Focus on the events that matter (avoid monitoring all events which may impact performance)
  3. Create a Monitor View - Group related Event Log resources for your operations team to review
  4. Review Regularly - Monitor Event Log resources and investigate Error states promptly
  5. Adjust Filters as Needed - Refine your configurations to reduce false positives and focus on real issues

Performance Considerations

  • Max Lookback Time: Set this appropriately to your needs. Larger lookback windows mean more event data to scan each cycle
  • Content Filters: Use Equals matching instead of RegEx when possible for better performance
  • Synchronization Interval: The agent synchronization interval affects monitoring responsiveness; balance with load
  • Event Volume: Servers with very high event log activity may need more focused filtering to be practical

Common Scenarios

Scenario Recommended Configuration
Monitor SQL Server Errors Log: Application, Providers: SQL Server, Level: Error/Critical
Track Authentication Failures Log: Security, Event IDs: 4625 (failed login)
Monitor IIS Warnings Log: Application, Providers: IIS/ASP.NET, Level: Warning/Error
General System Health Log: System, Level: Error/Critical, exclude informational noise

Next Step

Add or manage Monitor View

Windows Server Monitoring Agent
Resources
Monitoring
Monitor Views