cancel
Showing results for 
Search instead for 
Did you mean: 

Insights

If you have been reading these blogs for Enterprise Vault, you have seen an excellent article regarding monitoring the MSMQ by Wayne Humphreys
https://www-secure.symantec.com/connect/blogs/monitoring-msmq-vbs

For me though, being an Admin of a 12 site / 90 server environment, it is hard to keep track of what servers are behaving correctly and whats not.
Anyone who has spent time with Enterprise Vault knows that it is one of the loudest applications out there, even when Enterrise Vault is operating nominally, you still get warnings and errors, some which can be ignored, and some which can't

To this end i decided to write a VBS Script to log the amount of errors and warnings per server in a 24 hour period.
A simple table set up is used

Table Name = Event Logs
EVLogDate = DateTime
EVLogServer  = varchar(50)
EVLogWarnings = int
EVLogErrors = int

Then I use the following script  called EVLogs.vbs which is executed at 6AM on each server:

-----------------------------------------------------------------------------------------------------------------------------

dim sqlConn, oConn, oRS
sqlConn="Driver={SQL Server};Server=YourDBServer; Database=YourDBName;Trusted_Connection=yes;"

'Get the Date from 2 days ago
dDate = Now - 2
y = Year(dDate)
m = Right("0" & Month(dDate),2)
d = Right("0" & Day(dDate), 2)
fromDate = y & m & d

'Get the date from 1 day ago
dDate = Now - 1
y = Year(dDate)
m = Right("0" & Month(dDate),2)
d = Right("0" & Day(dDate), 2)
toDate = y & m & d

'Connect to the local WMI object
Set objWMIService = GetObject("winmgmts:root\cimv2")

'Select all errors between 2 days ago and 1 day ago
Set events = objWMIService.ExecQuery ("Select * from Win32_NTLogEvent Where LogFile='Symantec Enterprise Vault' and type = 'error' and timewritten >= '" & fromDate & "000000.000000-360' and timewritten < '" & toDate & "000000.000000-360'")

'Count up the errors
errors = 0
For Each evt In events
 errors = errors + 1
Next

'Select all warnings between 2 days ago and 1 day ago
Set events = objWMIService.ExecQuery ("Select * from Win32_NTLogEvent Where LogFile='Symantec Enterprise Vault' and type = 'warning' and timewritten >= '" & fromDate & "000000.000000-360' and timewritten < '" & toDate & "000000.000000-360'")

'Count up the warnings
warnings = 0
For Each evt In events
 warnings = warnings + 1
Next

Set oConn = CreateObject("ADODB.Connection")
oConn.Open sqlConn
Set oRS =CreateObject("ADODB.Recordset")
sSQL="INSERT INTO EventLogs(EVLogDate,EVLogServer,EVLogWarnings,EVLogErrors) values(getDate()-1, 'yourEVServer', " & warnings & "," & errors & ")"
ors.open sSQL, oconn

------------------------------------------------------------------------------------------------------------------------------

The good thing to note about this is that to connect to the Event Viewer, you use WMI which then can select items just like you would using SQL
A modification to the code can monitor for things such as 3305 and 3310 which means that the task has effectively stopped processing for 5 minutes (3305) or 10 minutes (3310)

So you could do this

Select * from Win32_NTLogEvent Where LogFile='Symantec Enterprise Vault' and type = 'error' and eventid='3305'

For this we run the VBS every hour and if any results are found then it emails an admin.
For most admins and most environments I truly hope this is overkill, but for environments like ours tools like this become essential
https://www.linkedin.com/in/alex-allen-turl-07370146