WhatsUp Gold User's Guide v8.0 - Logging and Reporting Activities

Logging and Reporting Activities

WhatsUp Gold logs activities in the Activity Log and lets you create reports based on the data. The activity log stores its data in weekly file increments with the following file format: (EV-yyyy-mm-dd.tab).

WhatsUp Gold automatically logs application-level activities (such as opening or closing a map) and device-specific activities (such as a device or service going down) for devices that have Enable Logging selected on the Alerts dialog box. After WhatsUp Gold logs sufficient data, you can generate reports on the data or save the data in a tab-delimited file format that can be imported to another application.

The following sections describe the types of entries logged, how you can modify activity logging, and how you can generate reports on the activities.

Actions that Trigger Entries in the Activity Log File

WhatsUp Gold records activities in the log (EV-yyyy-mm-dd.tab in the WhatsUp Gold directory) as they occur. WhatsUp Gold logs the following types of activities for any open maps:

Map changes - includes map open and close and changes to the map configuration.
Any Event occurrence. see "Chapter 7: Monitoring Events".
Device changes - for devices that have Enable Logging selected on the Alerts dialog box, WhatsUp Gold logs an up or down alert for a device or a service and missed polls for a device. When a device comes back up, it logs the total number of missed polls and the total down time.
Notifications - all notifications that get sent are logged.
Acknowledged Alerts - logs an activity when you select Monitor->Acknowledge (to clear all alerts) on the console or click Acknowledge in the web interface.
Access table lockout entries - occurs when a web access attempt is denied, for example, due to settings in the IP Security (Configure->Web Server->IP Security). The log entry also shows the IP address of the host that attempted to log on to the web server.
NT Service - any up or down state changes resulting from checking an NT Service.

Changing How Activities Are Logged

The application-level activities (such as opening or closing a map) are logged automatically. For device-specific activities, you can specify:

Whether the up or down state changes for a device are logged
The number of polls missed (Threshold) before a "DOWN" or "SVSDOWN" state change is recorded for a device or for a monitored service on a device.

To change how activities are logged for a single device:

Right-click the device and select Properties.
Click Alerts.
To log "UP" and "DOWN" state changes for this device (in the Activity Log), make sure Enable Logging is selected. (These entries can be viewed by right-clicking the device and selecting Quick Status, then clicking Log.)
The Logging Trigger default value is 1, which means that every missed poll is logged; this setting gives you the most complete information about your network: when a device (or a monitored service on the device) misses one poll, it is logged as "DOWN" or "SVCDOWN."

If you have a device on your network that routinely misses just one poll, you may feel that you are getting too many "Down" or "Up" messages in the Activity Log. In this type of situation, you can set the Trigger to a higher number such as 2, 3, or 4. To find the Trigger value, select the alert and click the Edit button.

Note: However, if you have assigned notifications to this device and want to make sure, for clarity's sake, that a "Down" or "Up" state change for this device is recorded in the Activity Log before any alerts or notifications are recorded, make sure the Trigger value is less than or equal to the Logging Trigger value of any notifications assigned to this device.

Click OK to save your changes.

To change how activities are logged for all devices or multiple selected devices:

(Optional) To change how activities are logged for multiple devices in the map, select the devices.

Note: To select multiple devices, hold down the Ctrl key and click the desired devices. You can also left-click and drag the selection box to select multiple devices.

Right-click one of the selected devices and select Add Alerts to Selected Devices.
Enable Logging. Select this if you want WhatsUp Gold to write an entry in the Activities Log whenever the devices go down or come back up after being down (based on the value of the Logging Trigger).
Logging Trigger. The number selected here is the number of missed polls it takes before an entry is written to the Activities Log.

Viewing the Activity Log

The Activity Log provides a history of the activities that occur for any network maps that are open. For a description of the activities that get logged, see "Actions that Trigger Entries in the Activity Log File" .

To view the activity information, from the Logs menu, select Activity Log. The following screen shows an example:

The Activity Log shows the date and time an activity occurred, the type of activity, and other pertinent information depending on the type of activity.

The Activity Log holds the activity data for all of your WhatsUp Gold maps. It holds data starting with either the date you first started monitoring a map or the date since log management last performed its cleanup. For as long as any map is open, all related map activities are recorded in the Activity Log, including devices and services going down, devices or services coming back up after being down, and alert acknowledgements. The Activity Log also records SNMP traps (if the SNMP trap handler is enabled) and denials of web access; these types of activities are recorded any time WhatsUp Gold is running, even if no maps are open.

Log Viewer: This is the viewing screen where you can view existing logs. The viewing mechanism displays in weekly increments. The view defaults to the current week. The date of the currently viewed week is displayed at the top of the dialog box.

Back icon: The `Back' icon displays the past week's log.

Current icon: The `Current' icon displays the current accumulating log for that week.

Forward icon: The `Forward' icon is grayed unless you select the `Back' icon, so you can sift back and forth between multiple accumulated weeks worth of log files.

Find icon: The `Find' icon launches a small dialog box used for finding text in the display.

Filter icon: The `Filter' icon launches a filter dialog box, which lets you customize the log viewer so that you can see logs in a different time span other than weekly. This dialog appears when you click the Filter icon and change a filter from an "off" state into an "on" state. Once you click the OK button on this dialog, focus will return back to the Log Viewer and the Filter icon will be pushed in, representing the fact that a filter is in place. Clicking the Filter icon again (or the menu equivalent) causes the filter icon to be pushed out (decompressed) which represents the fact that no filter is in place. When a filter is in place, the "Back" and "Forward" buttons on the Log Viewer confines the browsing ability to the dates specified in the filter.

Note: A common misconception is that all data for a specified range is displayed at once. This is not correct, the "Back" and "Forward" buttons are still used to display the filtered data in weekly increments.

You can either specify your time period in Week(s), Month(s), Year(s), or you can select a Range.

If you select Week(s), you must specify how many weeks back you want to include. Example: Selecting 1 week will display information from the past seven days to today.
If you select Month(s), you must specify how many months back you want to include. Example: Selecting 1 month will display information from the past four weeks to today.
If you select Year(s), you must specify how many years back you want to include. Example: Selecting 1 year will display information from the past fifty-two weeks to today.
If you select Range, you must specify the starting and ending dates.

Refresh icon: (Only needed when viewing Syslog log) The `Refresh' icon updates the viewer with messages that have been logged since initially opening the log file.

Print icon: When the log viewer is opened, the `Print' icon will appear (or be enabled) on the `File' menu to allow you to print the contents of the log viewer.

Format option buttons: The `Raw' and `Formatted' buttons provide two options. The `Raw' layout is a display with no columns, and just a listing layout. The date format is yyyy/mm/dd. In `Raw' format, you can cut & paste data to an outside source. The `Formatted' layout inserts the data into columns, and formats the date and time. The date format is mm/dd/yyyy.

Creating an Outage Report

After WhatsUp Gold has been monitoring a map long enough to generate data, you can create reports based on the activity data. For a description of the activities that get logged, see "Actions that Trigger Entries in the Activity Log File" . If you want to change how activities get logged, see "Changing How Activities Are Logged" .

To create an Outage Report:

From the Reports menu, select Outage Report. The Create Outage Report dialog box appears.

Select the Map Name of the map for which you want a report.

Note: A subnetwork, or "subnet map" (child map) is a network map that is linked to another map (the "parent" map). When running a report of a parent map, keep in mind this map only provides data on the parent map devices. When running a report of a child map, keep in mind this map only provides data on the child map devices. Be sure the report you desire is run on the proper map.

Select the Report Type.
Summary. Reports total service and/or device down time for each device and sorts by device name in Ascending or Descending order. You can also sort by Worst First order, which means the device with the most down time is shown first.

Detail. Reports all up and down state changes for each device. For each device down state change, the elapsed down time is reported. The report sorts devices by device name in Ascending or Descending order. You can also sort by Worst First order, which means the device with the most down time is shown first.

In addition, the detail report shows the following activities: map configuration changes, acknowledge alerts activities, NT service restarts, and access table lockouts. For more information about these activities, see "Actions that Trigger Entries in the Activity Log File" .

Raw Data. Exports the data from the Activity Log to a tab-delimited file that can be imported to another application. The data is sorted by date and time in ascending order.

Select the Date Range for the report.
When you select an option, the Start Date and End Date are shown.

Click OK to generate the report.
WhatsUp Gold generates the specified report and displays it in the Report Window. From the Report Window, you can save the data to a file, print it, or copy data to another application.

Note: If you get the message "insufficient data," it's possible that you have not monitored the map long enough to generate enough data.

Debug Log Information

All actions, such as poll requests and service checks performed by WhatsUp Gold, are shown in the Debug Log window. The Debug Log is a real-time log that displays WhatsUp Gold activities as they occur. To view the log, from the Logs menu, select Debug Log.

	Back icon: The `Back' icon displays the past week's log.
	Current icon: The `Current' icon displays the current accumulating log for that week.
	Forward icon: The `Forward' icon is grayed unless you select the `Back' icon, so you can sift back and forth between multiple accumulated weeks worth of log files.
	Find icon: The `Find' icon launches a small dialog box used for finding text in the display.
	Filter icon: The `Filter' icon launches a filter dialog box, which lets you customize the log viewer so that you can see logs in a different time span other than weekly. This dialog appears when you click the Filter icon and change a filter from an "off" state into an "on" state. Once you click the OK button on this dialog, focus will return back to the Log Viewer and the Filter icon will be pushed in, representing the fact that a filter is in place. Clicking the Filter icon again (or the menu equivalent) causes the filter icon to be pushed out (decompressed) which represents the fact that no filter is in place. When a filter is in place, the "Back" and "Forward" buttons on the Log Viewer confines the browsing ability to the dates specified in the filter.

	Refresh icon: (Only needed when viewing Syslog log) The `Refresh' icon updates the viewer with messages that have been logged since initially opening the log file.
	Print icon: When the log viewer is opened, the `Print' icon will appear (or be enabled) on the `File' menu to allow you to print the contents of the log viewer.

Ipswitch, Inc.
http://www.ipswitch.com


©Ipswitch 2003