Hi all, I'm trying to create rules to log all of the users Log on events from all windows servers that I'm currently monitoring, but I want to exclude all of the rest. such as log offs, all service accounts, certain windows event IDs, but for some reason some of the rules are not applying.
I created one rule to track and tag all of the log ons and that one is working fine, but when I create a new rule to exclude say a specific user account it doesn't it does not work. I'm doing these rules under the Windows Events Log Processing Configuration.
Is there a specific order in which the rules must be applied or am I doing something wrong by create a rule for every single thing I want to exclude.
For example: one rules states
All source computers
Log Entries
If
EventID Is Equal To 4634 Log Off event ID in windows)
Actions
First
Discard message
That's my rule and I make it live.
I have other rules like this and some work but some don't
Any help will be greatly appreciate.
