Trying to setup some basic rules and alerts in Log Analyzer - Windows Event

Question

We just upgraded to Observability and working on some of the new features that we have.  I wanted to start simple with Log Analyzer.

I have been able to create a Global PreProcessing Custom Rule to remove any NT Service\SplunkForwarder messages in LA and it is working just fine.

I have been trying to work with our SSH server application Bitvise to create a rule and alert for failed logins.  I think I am having issues understanding where LA grabs its 'data' for rules from.

Should I be using what is under Data 1 to setup the custom rule?  Also if anyone has instructions on how to do this it would be great.  I have been trying to follow the Solarwinds Docs.

In this example they are using SSH keys but it can be keys or user name/password.

martian_monster · Answer

I took a look at what I was doing and decided to start with Tagging log events.  I was using the event ID to see if that worked but I found out all the Bitvise events all are 4097 so that would not work.  I went into the message and the Data 1 area and used "user authentication rejected" and was able to Tag these events.

I have tagging setup and setup a rule to delete events before they hit Log viewer.  Once I get tagging done I am going to look at the alerting piece.  I was starting to do too much and took a step back and teach myself how this works.

Lofstrand · Answer

Maybe something like this: