Event-Based Tables

Event-Based Tables display data related to events — typically Windows Event Logs, SNMP Traps, ASCII Logs, etc.



Click For Full Size



Click For Full Size

Important Note: The first and second columns of an Event Table are reserved for the Date/Time and Node Name

Event Data

The Event Data section is used to define what will be displayed in what column

You can drag-and-drop to change the order of the columns

Event Data has a finite set of fields to read from, namely:

  • CATEGORY
  • DESCRIPTION
  • EVENT_ID
  • EVENT_USER
  • LOG_TYPE
  • SEVERITY
  • SOURCE
  • USER_DATA_1 to USER_DATA_10

These fields correspond to the database fields seen in the Archived Logs SQL tables in Argent for Compliance or Argent for Security

Refer to the data in the Archived Logs SQL table to see how each of the different fields are represented in order to create a report that meets your needs

Filters

One of the main differences between Argent Tables and Argent Graphs are the inclusion of Filters

Filters are located on the second “tab” in the Event Data popup

Filters are always done with an implicit AND operation with other columns

For example, let’s say we have the following data:

Date
Event ID
Event User
1 Nov 2011 10:00
529
John.Doe
1 Nov 2011 11:00
632
John.Doe
1 Nov 2011 12:00
529
Fred.Smith

If we had a filter on Event ID = 529

And

If we had a filter on Event User = John.Doe

We would end up with just one line from the example above:

Date
Event ID
Event User
1 Nov 2011 10:00
529
John.Doe

It is the only line that matches Event ID = 529 AND Event User = John.Doe

Columns can also be set to ‘Do Not Display The Column, Only Use It As A Filter’ — this allows the column to be used a filter without displaying it

Data List

Data Lists are a type of definition in Argent for Compliance or Argent for Security, as a method of defining the location of where data is stored

For instance, a Data List would tell us the database type, database server, database name, and the table where data is stored

The available Data Lists are automatically populated for you

Show Occurrence Count

If you prefer listing out the occurrence counts of, say, all Event 529s instead of listing them out individually, then simply check this box

When this box is checked, the layout of the table changes, and some options, such as Maximum Lines Per Node or adding the Event Description, are disabled (no longer applicable)

Additionally, when this box is checked, the Maximum Lines Per Node option changes to “Show Top X Entries” so that Top X Reports can be created

You can also choose the sort order when this option is checked

Only Display Nodes With At Least X Lines Or Occurrence Count (Calculated After Filters)

When applying a Report to an entire Monitoring Group, you may come across servers that don’t have the data, or don’t have data that match the filters.

Instead of displaying masses of empty tables that say “No data could be found…”, you can simply not display a table for a node if it doesn’t have at least X number of lines

Maximum Lines Per Node

For Event-Based tables, there is a maximum line count

Unlike Performance tables, where data is aggregated into time buckets (and thus has a finite and controlled number of lines), events are a completely different beast and cannot be aggregated

For instance, if a few of your servers each have 50,000 Event ID 529s in the past week, and if you’re running the data against a Monitoring Group of 1,000 servers — the time taken to fetch the data for every node, write and produce the PDF, would take an inordinate amount of time — not to mention the PDF could have 10,000+ pages

Thus, Argent has set a limit of 100 lines — that is maximum number of lines that will be displayed per node for the specified Report Definition

Argent will always show the latest or most recent X lines

To prevent confusion for the recipient, there will also be a label next to the node specifying the displayed line count and the total lines that exist

Let’s say, for a particular server called ARGENT-SVR1, we have 42,580 Event ID 529’s

We want to show the latest 30 lines for a table only

The table would be headed with: ARGENT-SVR1 (Showing Last 30 of 42,580 Lines)

Show Top X Entries

This option only appears when “Show Occurrence Count” is checked

This option lists out only the Top X Entries

Add Corresponding ‘Event Description’ Under Each Line

The Event Description or event body will be added under each line

Do Not Show Duplicate Entries

Sometimes, Windows servers will write duplicate event entries with the exact same timestamp, event ID, source, description, etc.

This checkbox will ignore these exact duplicates when performing occurrence counts or listing event entries.

There are two options:

  • With The Exact Date/Time (weeds out duplicates with the exact date/time)
  • With The Exact Date (weeds out duplicates only with the exact date, ignoring the time portion