What should I put into my Serv-U Windows Event messages? - KB Article #2106Related Articles -- 2108
Serv-U MFT Server may write Windows Event Log messages when Serv-U events fire. This allows network monitoring software including SolarWinds, SpiceWorks, HP Unicenter, and What's Up Gold to consume Serv-U events so they can monitor file transfer activity. It also allows Windows administrators to preserve or forward Serv-U events in the same way they process other Windows Events.
This article discusses how to set up Event Log messages for two different audiences: monitoring software and human beings.
Recommended "Monitoring Software" Format
Monitoring software expects to see information passed to it as a series of delimited fields. In this case, we recommend providing the following information, delimited by the pipe ("|") character.
- Name of the server on which event was fired (and not "localhost")
- IP of the client that initiated the event
- Username of the user that initiated the event
- Date and time event fired
- Full relative path of file (for transfers)
- Full physical path of file (for transfers)
- File size (for transfers)
A message string that contains all this information is shown below.
Depending on your needs, you may also want to include transfer protocol information ("$Protocol"), the domain involved - especially on multi-domain machines ("$DomainName"), and the email address of the user involved ("$UserEmailAddress") with your events. Review Serv-U's current list of System Variables for other options.
A string containing all the recommended fields from above plus these three is shown below.
Recommended "Human Readable" Format
Unlike monitoring applications, real people need to be told which value belongs to which field, and many people like messages to be well-formatted as well.
If you are new to Serv-U, a good way to quickly populate a number of well-formatted Event Log messages is to click the "Create Common Events..." button on the Domain Events page. Then, go into the events you are most interested in and tweak them.
Example of a "Human Readable" Event Tweak
The text for the "Listener Success" event that a click of the "Create Common Events..." button creates provides a good opportunity to try a couple of tweaks. If you open this event you will see that it notes the IP and port associated with the listener. You can click the "Help" button and then any of the included "System Variable" help links to see a list of interesting variables you may want to add.
To add mention of the domain in which the listener is operating, add the phrase "for $DomainName" at the end of the first line. To add mention of the protocol used by the listener, add the phrase "Protocol: $Protocol" after the "Server Port" line.
Recommended Footer for Auditors
Yes, auditors are people too. Auditors typically want excellent records of all activities on the server, and those records must always identify the machine, the time, the method, the actor (end user) and other critical information about each action. Fortunately, it is relatively easy to set this up in Serv-U by appending the following generic string to all the messages you created by clicking the "Create Common Events..." button:
This Serv-U event occurred in Serv-U domain "$DomainName" on $ComputerName, a $OSAndPlatform machine. Serv-U recorded the event at $Year-$Month-$Day $Hour:$Minute:$Second. The event was of type "$EventType" and was triggered by $LoginID (email: "$UserEmailAddress", full name: "$FullName"), who was accessing the server using the $Protocol protocol listening on port $ServerPort from IP $IP.
In addition to this information Serv-U makes many more System Variables available for further customization.