1 of 1 people found this helpful
There is two possible scenarios where you could potentially track this information.
1) monitor web traffic through proxy / firewall - If you are routing your web traffic from users through a proxy or firewall which logs traffic, get the syslog events to send to LEM and identify the interesting events. You can choose to filter these in the monitor, or apply a rule to take action when this event triggers the rule.
2) Check that this is logged on the workstation - This will be more costly as you will need to then purchase a licence for the workstations you want to monitor, as an agent would need to be deployed to each workstation in question. There is a possibility that Outlook logs to an event log this type of activity.
I would pursue option 1. It looks as though you have already done this too and have identified that the URL contains /ical/.
The simplest way to create a rule, is to build an nDepth query first to prove you can correlate on the event you are trying to configure the trigger for.
Start with a keyword seach for /ical/ and it will most likely take you to an event "WebTrafficAudit".
Create a User-Defined Group and add an entry for /ical/
Perform an nDepth query for the following criteria
WebTrafficAudit.URL CONTAINS /ical/
If this returns the expected results, build a new rule and set the correlation to the same as the above, specify a correlation time and appropriate action.
NOTE: Be very careful about using email alerts as you could end up flooding your inbox, or someone elses notifying of this event. Also take caution about what active responses you do perform too as these can be quite destructive if you get them wrong.
Always put into test mode before enabling the rule and monitor the rule in the monitor window under rule activity filter. It will show here if the rule has been fired.
Remember to activate the rules if you make a change or add one or the agent nodes will not get the update to the rules.
Hope that this helps.
Thanks for the quick reply Garreth.
I actually do have nodes deployed on all of the workstations that i am interested in throwing alerts for.
What would be the process for monitoring a single workstation for this type of traffic, or a group of workstations with nodes deployed on them?
Firstly, you would have to identify if the event is being logged to an event log. If the workstation are Windows 7, there is a plethora of event logs which are turned off by default. Identify which to turn on and get testing to prove the events are generated.
Next you can go to LEM, Manage Nodes, select the node and click the gear icon and open the connectors config. Have a look for a matching connector, else you will need to make a new one and match up the log location on the connector to where it is saved on the workstation. I have yet to try this, but suspect that you can clone the Windows Application Log connector/ add a new one and change the name of the log to the same name as the log you are going to configure the agent to send events from.
If the above doesn't work, it will be a case of raising a ticket to SolarWinds to see if it is possible. It will be good if you could report your findings and I am sure that it is very much possible.
All the best on your discovery.