cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 7

ZeroLogon Rule: Alert on Windows Server Event

Hi,

 

We are updating from LEM 6.6 to SEM 2020.2.1.  Before doing so, I would like to create a rule to filter on Windows Server Event Viewer ID '5829' This is the event created for non-secure RPC connections. I only want this to apply to domain controllers. I am new to LEM. can anyone help me out with this rule?

 

Thank you.

7 Replies
Level 8

I notice you only want to to check DC and I would recommend creating a connection profile under nodes to gather all the DC in one group  This you can follow what the process of the that was listed above but also filter by connection profile so into checks DCs.  This should cut down on the noise of other agents on your sem.

0 Kudos

Hello,

I would try something like this

Screenshot 2020-10-30 at 10.31.31.png

 Let me know if this helps. 

V*

0 Kudos
Level 8

Check first if you have any events for this before creating a rule. 

Once you find the event you can create easily 

Here is a script to check 

https://support.microsoft.com/en-us/help/4557233/script-to-help-in-monitoring-event-ids-related-to-c...

 

read this too

https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channe....

 

you can create something like this
 
Rule is true when
ServiceWarning.ProviderSID
is equal to *5828
OR
 ServiceWarning.ProviderSID
is equal to  *5827
OR
 ServiceWarning.ProviderSID
is equal to *5829
 
0 Kudos
Level 9

have you been able to create the rule?

0 Kudos
Level 7

I am looking for exactly the same thing.  If I find a way I will post it here!

Perry

have you been able to create the rule?

0 Kudos

you can create something like this
 
Rule is true when
ServiceWarning.ProviderSID
is equal to *5828
OR
 ServiceWarning.ProviderSID
is equal to  *5827
OR
 ServiceWarning.ProviderSID
is equal to *5829
 
0 Kudos