6 Replies Latest reply on Nov 12, 2015 11:11 AM by twuk

    Filter NT Authority\System

    sejod2004

      I am running 6.2.0RC1. I have FIM running on a file server and pointing to one folder. I get a lot of events with NT Authority\System in it. One file opened creates 8 events. 5 of 8 are from NT\System

      Because they dont tell me anything about who did what i am trying to filter it out. I have set this filter but still get them. I have tried SYSTEM with * and without

      Any ideas?

       

        • Re: Filter NT Authority\System
          curtisi

          Take out that first line that just says "File Audit Alerts".  It'll fix the issue.

           

          You have an OR on that section of the rule (the orange stripe means OR), so the LEM is grabbing everything that is a FILE AUDIT ALERT OR everything that is a FILE AUDIT ALERT that doesn't include the SOURCE ACCOUNT *SYSTEM*.  That means it grabs ALL FILE AUDIT ALERTS.

           

          Change the OR or remove the first condition, I bet it works.

           

          Also, and I see this a lot:

          You don't need to tell the LEM to look for "Thing" and "Thing.SpecificField."  "Thing" is implied by "Thing.SpecificField" so you only need the second thing.

           

          Furthermore:

          Why are you still on a release candidate?  Go get the release version of 6.2!

           

          As an example that might work:

          (It looks like you have modified the default "File Audit Alerts" group, so I have a modified group with a different name, but this should still work in principle)

          2015-10-02 10_13_26-SolarWinds Log & Event Manager.png

            • Re: Filter NT Authority\System
              sejod2004

              that worked. I thought the other bar said AND.

              I thought the big bar was for an other set of conditions but I just realized you cannot create another set of conditions.

              Still learning

               

              • Re: Filter NT Authority\System
                sejod2004

                Also, and I see this a lot:

                You don't need to tell the LEM to look for "Thing" and "Thing.SpecificField."  "Thing" is implied by "Thing.SpecificField" so you only need the second thing.

                 

                OK. Wanna make sure I understand. You dont need to identify "File Audit Alerts" because "FileAttributeChange" is part of "File Audit Alerts" group.

                So when you identify a single event like "FileAttributeChange" it is LEM assumes you are talking about "File Audit Alerts" group

                 

                do i have that correct?

                  • Re: Filter NT Authority\System
                    curtisi

                    FileAttributeChange is included within the "File Audit Alerts" group, so specifying that something be a FileAttributeChange AND in the File Audit Alerts group is redundant.  This doesn't work the other way, though, as there are other events in the File Audit Alerts group besides the FileAttributeChange.

                      • Re: Filter NT Authority\System
                        sejod2004

                        With that filter in place I am not getting File deletes. The source account is not SYSTEM here. Its a user.

                        I am trying to create a filter that shows file deletes, writes and creates but not show form EventInfo .TMP files, NT Authority\SYSTEM doing something to the file and ~$ files.

                        It seems like I cannot get the right combo down. Not even sure its possible. I know a lot of this spends on what Windows shows. I do see many people with the same questions

                         

                        Screenshot_100215_040205_PM.jpg

                          • Re: Filter NT Authority\System
                            twuk

                            I have a feature request open for FIM to address the differing amounts of windows read events created when a file is opened (one per thread). What I want is a FIM event that triggers when >1 windows event is created, furthermore I want to ignore the NT\Authority events and focus on the DOMAIN\user event.

                             

                            I have also noticed the file type seems flawed, when I set FIM on a .csv file I get events when my FIM is set at *.* but not when it is set at *.csv

                             

                            I think FIM has the potential to be a great tool with a bit more work

                             

                            I think in essence it should create its own alerts which we can create rules on