Once you’ve configured an EventSource, you can perform test runs to ensure events are being filtered and captured as you intended. EventSource testing can be performed when you’re initially setting up the EventSource—or any time in the future as troubleshooting needs arise.
Note: The EventSource testing feature requires Collector version 28.400 or a higher numbered version.
Testing an EventSource
Testing functionality is available by clicking the Test Event Logging button found in the Filters area of an EventSource’s configurations, as shown next.
Note: The testing of Script EventSources works a bit differently than for other EventSource types. Script EventSources are tested from the Script Event Collector Attributes area of the EventSource and, due to the nature of how scripts operate, the format of test output is different as well.
Depending upon the type of EventSource you are testing, you’ll be prompted for varying test parameters. For Log File EventSources, you’ll need to identify the device, log file path, and the number of lines to scan in the log file. For SNMP Trap and Syslog EventSources, you’ll listen for events as they occur in real time, specifying a sending device and the conditions under which the test will end. For Windows Event Logs, you’ll specify a device and date/time range for which the test should check the logs (up to a 10-minute time period).
The test results for Log File, SNMP Trap, Syslog, and Windows Event Log EventSources identify which events would—and would not—be captured based on the test parameters and filters defined for the EventSource.
The test results page displays up to three sections:
- Matched message(s). In this section, messages meeting the test parameters and filters defined in the EventSource configurations will display.
- Filter Statistics. In this section, all filter expressions that resulted in one or more messages being excluded from matching results are displayed, as well as the actual number of messages. Clicking the number of messages hyperlink will open a new window that displays the actual messages filtered (up to 50 per filter rule).
- Unrecognized Message Statistics. Only returned for Syslog EventSources, this section identifies any messages that couldn’t be parsed and therefore couldn’t be classified as meeting or failing to meet filter criteria.