Add an EventLog Poller to a Windows Device Subtype

An EventLog poller can be added to any device subtype intended for Windows-based managed devices. You can add EventLog pollers to an existing Windows device subtype or create a new device subtype specifically for the purpose of collecting Windows event logs. Additionally, you can add as many EventLog pollers as necessary to each subtype.

To add an EventLog poller to a Windows device subtype, follow the procedure below.

1. From the main menu, select Administration > Change Devices > Edit Pollers to open the Polling Administration page (this is where Netreo device types are managed).
   
2. Select View Sub Types to open the Polling Administration: Sub Types page (this is where Netreo device subtypes are managed).
3. Locate the subtype that you would like to add an EventLog poller to, or select Create Sub-Types to create a new subtype.
   • If you create a new subtype, skip to step 5.
4. In the ACTIONS column of the subtype, select the edit subtype icon to open the edit page for the subtype.
   
5. On the edit page for the subtype, locate the Event Log Polling section in the Pollers panel, and select the add poller (+) button.
   
6. In the Add Event Log Poller window that opens, fill out the available fields with the appropriate information as follows:
   
   1. In the LOG SOURCE NAME field, enter the name of the software that logs the event. It is often the name of the application or the name of a subcomponent of the application if the application is large. See here for more information.
   2. In the LOG LEVELS field, enter the severity levels of events to fetch as a comma separated list of numerical severity values.
      • For example, "1,2,3,4". Typically, 1 for Error, 2 for Warning, 3 for Critical, 4 for Informational, etc.
      • (Microsoft documentation on this field is not very consistent. So, to be on the safe side, use a value like "0,1,2,3,4,5,6,7,8,16".)
   3. In the OUTPUT ERROR PATTERN field, enter a string pattern to identify any error condition while executing the PowerShell commands as part of log fetching.
      • For example, "NoMatchingEventsFound".
   4. In the TIMEOUT ERROR PATTERN field, enter a string pattern to detect if a timeout error occurred while executing the PowerShell commands.
      • For example, "timeout".
   5. In the CHUNK SIZE field, enter the number of log messages you want Netreo to process per batch.
   6. Select Create to add the EventLog poller to the device subtype.
7. Now, any managed Windows device that uses this subtype will begin collecting statistics on its event logs, which can be viewed in the Performance tab of its Device Dashboard.