Search for	Example	Results
A single word	`cat`	Topics that contain the word "cat". You will also find its grammatical variations, such as "cats".
A phrase. You can specify that the search results contain a specific phrase.	`"cat food"` (quotation marks)	Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase.

Search for	Operator	Example
Two or more words in the same topic	`AND` `and` `+` (plus symbol) `&` (ampersand)	`cat AND dog` `"cat food"+milk` `"cat food"&"dog food"`
Either word in a topic	`OR` `or` `\|` (pipe)	`cat OR dog` `cat \| dog`
Topics that do not contain a specific word or phrase	`NOT` `not` `!` (exclamation point)	`NOT cat` `! dog`
Topics that contain one string and do not contain another	`^` (caret)	`cat ^ mouse`
A combination of search types	`( )` parentheses	`cat + (dog \| mouse)` `cat \| dog + (! mouse)`

OMi Management Pack for Microsoft Azure2.20

Administer > Configure Windows Event Log

Configure Windows Event Log

OMi MP for Microsoft Azure monitors event log only for Azure RM Windows VMs. You must deploy the Microsoft Azure Windows Events Log Monitoring aspect to begin the monitoring of Windows Event Log. Before you deploy the aspect, make sure you have enabled the categories in Diagnostics Setting blade of the Microsoft Azure portal. You must replicate the preferences set in Azure portal in MSAzure_WindowsEventLogMon_Config policy and deploy the version of aspect including the policy setting.

Configure Microsoft Azure windows event log monitoring aspect

By default, all the Storage Accounts in the subscription are monitored for the log files. You can also specify the particular VMs, log type or error level that you want to monitor. Modify the MSAzure_WindowsEventLogMon_Config policy and then deploy the latest version of Aspect. By default, following configuration is set in the policy.

XML tags	Default value	Definition
Subscription id	*	All the subscriptions provided during Discovery
StorageAccount	*	All the storage accounts associated with the subscription ID
EventLog	*	Application and System event logs.
level	*	Events with critical and error severity.

Follow the steps to edit the policy and deploy the aspect:

Open the Management Templates & Aspects pane:

Click Administration > Monitoring > Management Templates & Aspects.
In the Configuration Folders pane:

Click Configuration Folders > Cloud Management > Microsoft Azure > Aspects.
In the Management Templates & Aspects pane, click Microsoft Azure Windows Event Log Monitoring Aspect and then click .

The Microsoft Azure Windows Event Log Monitoring: Edit Aspect window appears.
In the Policy Template tab, select the MSAzure_WindowsEventLogMon_Config policy and click Edit Policy Template (Raw Mode).

The Edit Policy Template window appears.
In the Policy Data tab, specify the Storage account, virtual machine, and Event Log category (Application, System or Security) that you need to monitor.

If you require to monitor specific account, VMs or event category, then specify data in the required block and modify the policy with following syntax.
```
<Subscriptions>
   <Subscription id="*">  
     <StorageAccounts>
       <StorageAccount name="*">
          <EventLog type="*" level="Critical,Error"/>
          <VirtualMachines>
               <VMName name="*" />
          </VirtualMachines>
       </StorageAccount>
      </StorageAccounts>
   </Subscription>
</Subscriptions>
```
You can specify multiple subscriptions, storage accounts, multiple eventlog type or different error levels.
Click Save and Close. New version of policy is created.
In the Policy Templates tab, select the latest version of MSAzure_WindowsEventLogMon_Config policy and click OK. New version of aspect is created.
In the Management Templates & Aspects pane, select the latest version of the Aspect and click .
In the Configuration Item tab, select the CI and click Next.
In the Parameter Summary tab, click Finish.

Configuration examples

Following are few scenarios and configuration syntax.

Monitoring Storage Account for a particular Subscription for default Event Log Type (Application and System) and Error Levels (critial and error)

<Subscriptions>
	<Subscription id="eaxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx6d">
	 <StorageAccounts>
	  <StorageAccount name="mpqagroupdiag358">
		<EventLog type="*" level="Critical,Error"/>
		<VirtualMachines>
			<VMName name="*" />
		</VirtualMachines>
	  </StorageAccount>
	 </StorageAccounts>
	</Subscription>
</Subscriptions>

Monitoring all Storage Account for a particular Subscription for default Event Log Type (Application,System) and all Error Levels.

<Subscriptions>
	<Subscription id="exxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx6d"> 
	 <StorageAccounts>
	  <StorageAccount name="*">
		<EventLog type="*" level="Critical,Error,Information,Verbose,Warning"/>
		<VirtualMachines>
			<VMName name="*" />
		</VirtualMachines>
	  </StorageAccount>
	 </StorageAccounts>
       </Subscription>
</Subscriptions>

Monitoring Storage Accounts of multiple subscription for the specified VMs.

<Subscriptions>
	<Subscription id="3yxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxy7">
	<StorageAccounts>
	   <StorageAccount name="testing">
		<EventLog type="*" level="Critical,Error"/>
		<VirtualMachines>
			<VMName name="btpvm1234"/>
			<VMName name="btpvm2345"/>
		</VirtualMachines>
	   </StorageAccount>
	</StorageAccounts>
      </Subscription>
        <Subscription id="eyxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxd">
	<StorageAccounts>
	    <StorageAccount name="storageaccountodelete324234">
		<EventLog type="*" level="Critical,Error"/>
		<VirtualMachines>
			<VMName name="*" />
		</VirtualMachines>
	    </StorageAccount>
	</StorageAccounts>
</Subscription>

Send Help Center feedback