0 Replies Latest reply on Aug 21, 2019 10:13 AM by solarjuang

    Use Log Analyzer to log user Log on sessions in LA 2.1

    solarjuang

      Hi all, I'm trying to create rules to log all of the users Log on events from all windows servers that I'm currently monitoring, but I want to exclude all of the rest. such as log offs, all service accounts, certain windows event IDs, but for some reason some of the rules are not applying.

       

      I created one rule to track and tag all of the log ons and that one is working fine, but when I create a new rule to exclude say a specific user account it doesn't it does not work. I'm doing these rules under the Windows Events Log Processing Configuration.

       

      Is there a specific order in which the rules must be applied or am I doing something wrong by create a rule for every single thing I want to exclude.

       

      For example: one rules states

       

      All source computers

      Log Entries

      If

      EventID Is Equal To 4634 Log Off event ID in windows)

       

      Actions

      First

      Discard message

       

      That's my rule and I make it live.

       

      I have other rules like this and some work but some don't

       

      Any help will be greatly appreciate.