Application log and realtime alert

In our environment we have an old application that writes every event to the application log with the same Event ID:0.

I have tried to get the developers to change it but no go there.

Additionally, they dump everything to description.. So, I need to write a realtime monitor that looks for a string in Insertion string 1 that contains

"Access Denied.  This user is inactive."

or

"Access Denied. This user account does not exist."

and then alert when 3 of the events that contain those strings occur within a 10 minute time-frame. 

Is this something you could teach me how to do or point me at the technical documentation that covers it?

  • Hi Wade,

    The documentation describes all REL functions you can use, it is here https://support.quest.com/technical-documents/intrust/11.4.1/customization-kit/7#TOPIC-1113317 

    The examples can be found inside the whole set of predefined InTrust rules.

    I've created the rule xml for you, you just create a copy of some rule and push this text on Matching | Advanced. Also make sure the rule is using Windows Application Log (not Security Log) on the Data Sources tab.

    Also I've noticed that before "This user is inactive." there are two spaces, while before "This user account does not exist." there is only one. Be careful!

     

    <rule type="REL" version="1.0">
    <arguments>
    <argument displayname="Time period" name="Time period" description="Time period in which the events occurred." class="DateTimeRange">
    <value>"0/00/0 00:10:00"</value>
    </argument>
    <argument displayname="Threshold" name="Threshold" description="Events threshold." class="Number">
    <value>3</value>
    </argument>
    <argument displayname="Keys" name="Keys" class="List" description="A list of key phrases to search in the Insertion String 1.">
    <value>"*Access Denied. This user is inactive.*", "*Access Denied. This user account does not exist.*"</value>
    </argument>
    </arguments>
    <prefilter>

    EventID = 0;

    </prefilter>
    <body>

    EventID = 0
    and in( String1, "wi", array(<parameter name="Keys"/>) )

    and count(select_filtered(
    EventID = 0 and in( String1, "wi", array(<parameter name="Keys"/>) ),
    Z.EventID = 0 and in( Z.String1, "wi", array(<parameter name="Keys"/>) ),
    <parameter name="Time period"></parameter> ))
    &gt;= <parameter name="Threshold"></parameter>

    and empty(select_matches(
    EventID = 0,
    <parameter name="Time period"></parameter> ));

    </body>
    </rule>