Hello,
I'm looking to capture a specific event (5826) on our domain controllers. Is there a way to do this through Instrust?
CS
Hi Charles,
Sorry for delay. Sure, InTrust can capture this event.
If you are using the simplified Collections via InTrust Deployment Manager, and have specified to collect the System log, this event is collected automatically.
If you are using scheduled gathering, go to InTrust Manager | Gathering | Gathering Policies | <The policy that you use>, and check which data sources does the policy include. If there is no "Windows System Log" data source, add it. Open it's properties. In the Repository Filter tab add "Custom filter for System Log", rename it if you need, e.g. "5826", and on the Matching tab replace 0-4294967295 EventID range list with 5826-5826. Apply and commit changes. 5826 events will be collected during the next scheduled gathering session.
Hi Charles,
Sorry for delay. Sure, InTrust can capture this event.
If you are using the simplified Collections via InTrust Deployment Manager, and have specified to collect the System log, this event is collected automatically.
If you are using scheduled gathering, go to InTrust Manager | Gathering | Gathering Policies | <The policy that you use>, and check which data sources does the policy include. If there is no "Windows System Log" data source, add it. Open it's properties. In the Repository Filter tab add "Custom filter for System Log", rename it if you need, e.g. "5826", and on the Matching tab replace 0-4294967295 EventID range list with 5826-5826. Apply and commit changes. 5826 events will be collected during the next scheduled gathering session.
