• State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 22 subscribers
  • Views 421 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

create filters based on windows events

cassandra.berg

Hi all, I'm brand new to log management and LEM and was hoping someone could point me to where I can find some information. I have a list of Windows events that I need to monitor and I'm having trouble creating filters for them. Are there instructions anywhere for creating a filter based on a specific event ID (or a group of them). For example, I need to monitor events 576 (Special privileges assigned to new logon), 577 (Privileged service called), and 578 (Privileged object operation). I like the generic nature of the filter parts in theory but I'm having trouble figuring out what I need to look for. Any help would be greatly appreciated.

Cassandra

  • 0

    I tend to build in nDepth to see what works and then write the Rules/Filters I need. EventIDs are listed as the ProviderSID when you are setting up the Conditions. I would use a wildcard at first i.e. Auditable Events (All).ProviderSID=*517 and then refine it based on what you see hit the filter/nDepth query.

    There are a number of ways to capture events. If I wanted to find logon failures I could either search for the EventID or just use the UserLogonFailure event group.

  • 0

    hi Cassandra,

    My suggestion would be to create a User Defined Group and use it in a filter.

    Look at the Provider SID field for the LEM Events you are interested in. You can then build a User Define Groups with the exact values you see in the Provider SID field as per this KB

    http://knowledgebase.solarwinds.com/kb/questions/3551/Getting+Started+with+User-Defined+Groups

    The Name field is just an alias. The Data field needs to match what you see in the Provider SID field. 

    See the section on 'More on Filter conditions' in the eval guide that shows how to create a filter using a User Defined Group.  http://www.solarwinds.com/documentation/LEM/Docs/LEM_Evaluation_Guide.pdf

    You could also achieve the same outcome with a series of condition groups to be evaluated with an OR logical operator. See Figure 28 in the eval guide for an illustration on where to toggle the AND/OR logic in the filter editor

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.