Hi Mike,

Have you already tried using the eventlog sensor?

Regards,

Hello,

yes we have but the information event which informs whether the backup is successfull or failed is a custom type of log located in Microsoft-Windows-Backup and we can see no option of getting to that within this sensor.

Hi Mike,

In the "customs sensor\exe" folder of your PRTG installation create a new file named "backupstatus.bat" and paste the following code:

@echo off
if .%1%==. goto NoParameter

cd %1%
for /F %%I in ('dir *.log /B /O:-D') do copy %%I c:\temp\temp.log > nul & goto end
:end

find /i "error" c:\temp\temp.log > nul
if %errorlevel% EQU 0 goto Found
goto NotFound

:Found
echo "Backup has errors"
exit 2

:NotFound
echo "Backup has no errors"
exit 0

:NoParameter
echo You need to supply a folder name
exit 2

The sensor will copy the oldest .log file in the given (parameter) folder and copy it to c:\temp\temp.log. Next this copied file is checked for the occurrence of the text "error" and an appropriate message is send to PRTG.

Note: it is assumed that the sensor runs on the machine (probe) that hosts the backup .log files

This code is provided "as is", please feel free to make any changes.

Regards,

Hello and thanks for that,

the log files have a *.evtx extension. Just to remind that I am talking about the built in Windows Server Backup.

Additionally, if a backup has failed once, wouldnt the report always show there is an error?

Thanks

Hi Mike,

Does every backup job produce its own .evtx file (in the same folder) or does the backup append its information to an existing .evtx file?

What information is written (key words) to the file if a job fails?

Aditionally, can you send me a .evtx file? My email address can be found here in the left pane under "send an email"

Regards,

the evtx files are standard Windows Event log files. They look and feel just like the Application, System etc logs and are shown in Windows Server 2008 event log by default. I dont think WMI can pull those out but Powershell's get-event can.

http://technet.microsoft.com/en-us/library/cc734488%28WS.10%29.aspx

PTF.EventlogReader

This is now possible with new Custom Sensor PTF.EventlogReader.

This sensor gets the value of the most recent entry for the given eventlog and source, taking the following parameters:

-c=   The ip-address or hostname of the computer hosting the eventlog.
-e=   The name of the eventlog.
-s=   The name of the eventlog source.
-u=   Optional, Domain\Username of a user account that can access the (remote) eventlog.
-p=   Optional, Password or PassHash * of a user account that can access the (remote) eventlog.
-m=   Optional, the maximum time in minutes a result is allowed to be old.
      default = 1 day (1440 minutes)

PTF.EventlogReader returns the event ID and message for the found log entry.

The sensor can be downloaded from this page.

Thanks!!!

Hi,

Can someone provide some additional information on how to interpret the results for this sensor? I've used -e=Application -s=Windows-Server-Backup and have had a successful return of error code 0, which I'm assuming represents a successful backup. However, if this comes back with an error code that represents a failure, will the sensor still not show as green?

Hi,

When using with Windows Backup, the source should be 'backup'

-s=backup

According to http://technet.microsoft.com/en-us/library/cc734488%28WS.10%29.aspx a successful backup should return a 4.

When the sensor returns a 0, it also returns a text message like 'No matching entry found' it is up to you to decide if this should be treated as an error by setting limits in the sensors channel tab.

Also keep in mind that only entries for the last 24 hours are evaluated if the –m parameter is omitted.

Using the sensor with Windows Backup, I guess all values bigger or smaller than 4 should be set to put the sensor into an error state. For other event log entries it might be a good thing if no entry is found in the last xx minutes, so that’s why value 0 does not automatically sets the sensor into an error state.

Regards,

Hi and thanks for the quick reply.

That's exactly what I'm getting a 0 code and the message 'No matching entry found'. I have changed the -s parameter to backup and the sensor still works however it still returns the same 0 code.

I know that the event ID in Event Viewer for a successful backup is 4, is this what the PRTG sensor should be picking up?

If possible could you post a complete example of the command line parameters needed to get this sensor to return the correct code so that I can alert when the condition changed from 4?

Many thanks!

I've run eventlogreader.exe from the command line on the probe using the parameters I have set in the console and piped the results out to a text file. This contains the message "Requested registry access is not allowed.".

Is there a way to set the permissions so that the probe can access what it needs to in order to return the correct error codes which are shwing in the event viewer logs.

Many thanks!

Hi,

Both issues are now fixed in version 9.0.2 of the sensor. The new version also includes a .msg file. Please see Why do I need the EventlogReader.msg file for more explanation.

(The original post is also updated stating this)

Regards,