WhatsUp Gold 7.0 User's Guide - Logging and Reporting Events

Logging and Reporting Events

WhatsUp Gold logs events in the Event Log and lets you create reports based on the event data. The event log stores its data in weekly file increments with the following file format: (EV-yyyy-mm-dd.tab).

WhatsUp Gold automatically logs application-level events (such as opening or closing a map) and device-specific events (such as a device or service going down) for devices that have Enable Logging selected on the Alerts dialog box. After WhatsUp Gold logs sufficient event data, you can generate reports on the data or save the data in a tab-delimited file format that can be imported to another application.

The following sections describe the types of events logged, how you can modify event logging, and how you can generate reports on the events.

Types of Events Logged

WhatsUp Gold records events in the log (EV-yyyy-mm-dd.tab in the WhatsUp Gold directory) as they occur. WhatsUp Gold logs the following types of events for any open maps:

Map changes - includes map open and close and changes to the map configuration.
SNMP traps - logs SNMP trap server start or stop and any SNMP traps received for a device.
Device changes - for devices that have Enable Logging selected on the Alerts dialog box, WhatsUp Gold logs an up or down alert for a device or a service and missed polls for a device. When a device comes back up, it logs the total number of missed polls and the total down time.
Notifications - all notifications that get sent are logged.
Acknowledged Alerts - logs an event when you select Monitor->Acknowledge (to clear all alerts) on the console or click Acknowledge in the web interface.
Access table lockout events - occurs when a web access attempt is denied, for example, due to settings in the IP Security. (Configure->Web Server->IP Security) The log entry also shows the IP address of the host that attempted to log on to the web server.
NT Service events - any up or down events resulting from checking an NT Service.

Changing How Events Are Logged

The application-level events (such as opening or closing a map) are logged automatically. For device-specific events, you can specify:

Whether the up or down events for a device are logged
The number of polls missed (Threshold) before a "DOWN" or "SVSDOWN" event is recorded for a device or for a monitored service on a device

To change how events are logged for a single device:

Right-click the device and select Properties.
Click Alerts.
To log "UP" and "DOWN" events for this device (in the Event Log), make sure Enable Logging is selected. (These entries can be viewed by right-clicking the device and selecting Quick Status, then clicking Log.)
The Logging Trigger default value is 1, which means that every missed poll is logged; this setting gives you the most complete information about your network: when a device (or a monitored service on the device) misses one poll, it is logged as "DOWN" or "SVCDOWN."

If you have a device on your network that routinely misses just one poll, you may feel that you are getting too many "Down" or "Up" messages in the Event Log. In this type of situation, you can set the Trigger to a higher number such as 2, 3, or 4. To find the Trigger value, select the alert and click the Edit button.

Note: However, if you have assigned notifications to this device and want to make sure, for clarity's sake, that a "Down" or "Up" event for this device is recorded in the Event Log before any alerts or notifications are recorded, make sure the Trigger value is less than or equal to the Logging Trigger value of any notifications assigned to this device.

Click OK to save your changes.

To change how events are logged for all devices or multiple selected devices:

(Optional) To change how events are logged for multiple devices in the map, select the devices.

Note: To select multiple devices, hold down the Ctrl key and click the desired devices. You can also left-click and drag the selection box to select multiple devices.

Right-click one of the selected devices and select Add Alerts to Selected Devices. The Add Alerts To Selected Devices displays a special property sheet that contains only "Alerts" and "Menu" pages. When in this setting, every alert you add can be added to all the devices that are currently selected. This makes it quite easy to add the same alert on multiple devices.

Viewing the Event Log

The Event Log provides a history of the events that occur for any network maps that are open. For a description of the events that get logged, see "Types of Events Logged" .

To view the event information, from the Logs menu, select Event Log. The following screen shows an example:

The Event Log shows the date and time an event occurred, the type of event, and other pertinent information depending on the type of event.

The Event Log holds the event data for all of your WhatsUp Gold maps. It holds data starting with either the date you first started monitoring a map or the date since log management last performed its cleanup. For as long as any map is open, all related map events are recorded in the Event Log, including devices and services going down, devices or services coming back up after being down, and alert acknowledgements. The Event Log also records SNMP traps (if the SNMP trap handler is enabled) and denials of web access; these types of events are recorded any time WhatsUp Gold is running, even if no maps are open.

Log Viewer: This is the viewing screen where you can view existing logs. The viewing mechanism displays in weekly increments. The view defaults to the current week. The date of the currently viewed week is displayed at the top of the dialog box.

Back icon: The `Back' icon displays the past week's log.

Current icon: The `Current' icon displays the current accumulating log for that week.

Forward icon: The `Forward icon is grayed unless you select the `Back' icon, so you can sift back and forth between multiple accumulated weeks worth of log files.

Find icon: The `Find' icon launches a small dialog box used for finding text in the display.

Filter icon: The `Filter' icon launches a filter dialog box, which lets you customize the log viewer so that you can see logs in a different time span other than weekly. This dialog appears when you click the Filter icon and change a filter from an "off" state into an "on" state. Once you click the OK button on this dialog, focus will return back to the Log Viewer and the Filter icon will be pushed in, representing the fact that a filter is in place. Clicking the Filter icon again (or the menu equivalent) causes the filter icon to be pushed out (decompressed) which represents the fact that no filter is in place. When a filter is in place, the "Back" and "Forward" buttons on the Log Viewer confines the browsing ability to the dates specified in the filter.

Note: A common misconception is that all data for a specified range is displayed at once, this is not correct, the "Back" and "Forward" buttons are still used to display the filtered data in weekly increments.

You can either specify your time period in Week(s), Month(s), Year(s), or you can select a Range.

If you select Week(s), you must specify how many weeks back you want to include. Example: Selecting 1 week will display information from the past seven days to today.
If you select Month(s), you must specify how many months back you want to include. Example: Selecting 1 month will display information from the past four weeks to today.
If you select Year(s), you must specify how many years back you want to include. Example: Selecting 1 year will display information from the past fifty-two weeks to today.
If you select Range, you must specify the starting and ending dates

Refresh icon: (Only needed when viewing SYSLOG log) The `Refresh' icon updates the viewer with messages that have been logged since initially opening the log file.

Print icon: When the log viewer is opened, the `Print' icon will appear (or be enabled) on the `File' menu to allow you to print the contents of the log viewer.

Format option buttons: The `Raw' and `Formatted' buttons provide two options. The `Raw' layout is a display with no columns, and just a listing layout. In `Raw' format, you can cut & paste data to an outside source. The `Formatted' layout inserts the data into columns, and formats the date and time.

Creating an Event Report

After WhatsUp Gold has been monitoring a map long enough to generate event data, you can create reports based on the event data. For a description of the events that get logged, see "Types of Events Logged" . If you want to change how events get logged, see "Changing How Events Are Logged" .

To create an Event Report:

From the Reports menu, select Event Report. The Create Event Report dialog box appears.

Select the Map Name of the map for which you want a report.

Note: A subnetwork, or "subnet map" (child map) is a network map that is linked to another map (the "parent" map). When running a report of a parent map, keep in mind this map only provides data on the parent map devices. When running a report of a child map, keep in mind this map only provides data on the child map devices. Be sure the report you desire is run on the proper map.

Select the Report Type.
Summary. Reports total service and/or device down time for each device and sorts by device name in Ascending or Descending order. You can also sort by Worst First order, which means the device with the most down time is shown first.

Detail. Reports all up and down events for each device. For each device down event, the elapsed down time is reported. The report sorts devices by device name in Ascending or Descending order. You can also sort by Worst First order, which means the device with the most down time is shown first.

In addition, the Detail report shows the following events: map configuration changes, acknowledge alerts events, NT service restarts, and access table lockouts. For more information about these events, see "Types of Events Logged" .

Raw Data. Exports the data from the Event Log to a tab-delimited file that can be imported to another application. The data is sorted by date and time in ascending order.

Select the Date Range for the report.
When you select an option, the Start Date and End Date are shown.

Click OK to generate the report.
WhatsUp Gold generates the specified report and displays it in the Report Window. From the Report Window, you can save the data to a file, print it, or copy data to another application.

Note: If you get the message "insufficient data," it's possible that you have not monitored the map long enough to generate event data.

Debug Log Information

All actions, such as poll requests and service checks performed by WhatsUp Gold, are shown in the Debug Log window. The Debug Log is a real-time log that displays WhatsUp Gold events as they occur. To view the log, from the Logs menu, select Debug Log.

	Back icon: The `Back' icon displays the past week's log.
	Current icon: The `Current' icon displays the current accumulating log for that week.
	Forward icon: The `Forward icon is grayed unless you select the `Back' icon, so you can sift back and forth between multiple accumulated weeks worth of log files.
	Find icon: The `Find' icon launches a small dialog box used for finding text in the display.
	Filter icon: The `Filter' icon launches a filter dialog box, which lets you customize the log viewer so that you can see logs in a different time span other than weekly. This dialog appears when you click the Filter icon and change a filter from an "off" state into an "on" state. Once you click the OK button on this dialog, focus will return back to the Log Viewer and the Filter icon will be pushed in, representing the fact that a filter is in place. Clicking the Filter icon again (or the menu equivalent) causes the filter icon to be pushed out (decompressed) which represents the fact that no filter is in place. When a filter is in place, the "Back" and "Forward" buttons on the Log Viewer confines the browsing ability to the dates specified in the filter.

	Refresh icon: (Only needed when viewing SYSLOG log) The `Refresh' icon updates the viewer with messages that have been logged since initially opening the log file.
	Print icon: When the log viewer is opened, the `Print' icon will appear (or be enabled) on the `File' menu to allow you to print the contents of the log viewer.

Ipswitch, Inc.
http://www.ipswitch.com


©Ipswitch 2001