You don't need to enable Event Log monitoring. Critical and urgent conditions are detected automatically by the Panorama9 Agent and displayed as issues in the Dashboard.

Such as:

Best of all, you don’t have to do anything besides making sure you’re notified!

Panorama9 covers most topics from the Microsoft Event Log Monitor out of the box.

As Panorama9 is about simplicity we have not created a specific tab for "Event Log Monitor Issues" thus we've made sure that issues end up the right place i.e. "Symantec Backup Exec event detected" would create an issue in the "Availability --> Servers" likewise are Microsoft defender Issues created in "Vulnerability --> Antivirus".

You can today edit the rules and add your own events that should trigger an issue. It's found in the folder where the P9 Agent is installed (e.g. C:\Program Files (x86)\Panorama9\monitor_rules_local.json).

The monitor_rules.local.json file does not exist as default thus it has to be manually created.

All custom rules will then be found in monitor_rules.local.json

To add rules, edit the monitor_rules.local.json file and add rules in the following format:

{

"rules": [

{

"rule_id": "sqlrule1", #required, string: Unique rule name.

"monitor": "eventlog", #required, string:

"match" : {

"log_name": "system", #required, string: Name of the event log

"levels": "1,2", #required, string: Comma-separated list.

"ids": "1,2,3,4,55,901", #optional, string: Comma-separated list

"excluded_ids": "5, 54" #optional, string: Comma-separated list

"source": "Print Spooler, #optional, string: Name of the source.

"task_category": "", #optional, string: Category name.

"keywords": "Classic", #optional, string: keywords name.

"text": "??", #optional, string: Text can be a simple regex },

"restrictions": {

"os_caption_must_contain": "server", #optional, string: case insensitive

"os_type": "server" #optional, string: case insensitive

},

"action": {

"issue_open": {

"type": "service-running", #required, string: custom ,custom-compliance ,custom-vulnerability ,hardware-capacity ,hardware-failure ,service-running

"id": "sqlrule1", #required, string: Unique id should contain only letters, digits, and space characters

"message": "A event happened", #required, string: Dashboard message

"ttl": "30d" #required, string: 30d = 30days or 30 = 30hours.

}

}

}

]

}

Simple sample rule that would detect events from source "disk" in the "system" log with a "critical" Level.

A issue would be created with message "Harddrive error has been detected" which would be visible for 23 hours

{

"rules": [

{

"rule_id": "Disk1",

"monitor": "eventlog",

"match": {

"log_name": "System",

"source": "disk",

"levels": "1"

},

"action": {

"issue_open": {

"type": "custom-availability",

"id": "Disk1",

"message": "Harddrive error has been detected",

"ttl": "23"

}

}

}

]

}

Advanced sample rule that would detect events from source "disk" in the "system" log with a "critical" Level but not if the event id was 5 and 54 and only if the text in the message includes the word harddisk and one of the following 4 words error,corrupt,bad or block. Also the OS caption has to include the word server and os type has to be server. Then an issue would be created with message "Harddrive error has been detected" which will be visible for 23 hours

{

"rules": [

{

"rule_id": "Disk1",

"monitor": "eventlog",

"match": {

"log_name": "System",

"source": "disk",

"excluded_ids": "5, 54",

"text": "%(harddisk.*(error|corrupt|bad|block)|(error|corrupt|bad|block).*harddisk)%",

"levels": "1"

},

"restrictions": {

"os_caption_must_contain": "server",

"os_type": "server"

},

"action": {

"issue_open": {

"type": "custom-availability",

"id": "Disk1",

"message": "Harddrive error has been detected",

"ttl": "23"

}

}

}

]

}

Critical Value: 1. Indicates logs for a critical alert.

Error Value: 2. Indicates logs for an error.

Warning Value: 3. Indicates logs for a warning.

Information Value: 4. Indicates logs for an informational message.

Verbose Value: 5. Indicates logs at all levels.

"task_category": used for filtering

0 None

1 Devices

2 Disk

3 Printers

4 Services

5 Shell

6 System Event

7 Network

Do not write any changes in the monitor_rules.json file as it will be continuously updated by Panorama9 which overwrites all changes made.