Greetings All.
In my shop we have started using Log Viewer to capture Windows Events - in particular Security Log events from Active Directory Domain Controllers.
I have a requirement to write a few reports using the data from Log Viewer. Found a good post by community member @jvb at this link:
Reports Based on Windows Event ID
Suggested query syntax looks like the following:
SELECT TOP 10 ln.DisplayName as Node, le.messagedatetime, le.LevelKey, le.Message
FROM Orion.OLM.LogEntry le, Orion.Nodes ln
WHERE ln.NodeID = le.NodeID AND LogEntryTypeID = '3' AND Message Like '%Event ID 4624%'
I know this post was about 5 years ago. Just wanted to validate that the tables and fields have not changed for Log Viewer queries.
Can someone in the community verify that the basic information here is still correct?
Yes, my company wants to use Log Viewer + custom reports as an on-the-cheap SIEM. The main report will return incidents of standard 'suspicious' event id's summed over time and grouped by event id and user.
Yes, I told them they should buy the SEM product. Work in progress.
Thanks in advance for any responses from the community.