[Alert] On gaps in events in the specific windows event log
Here is an example rule that can monitor gaps in events in any windows log specified as a data source.
The rule is based on missing REL function, more details about REL syntax can be found here
Example Rule for gaps in the InTrust Server log:
<?xml version="1.0" encoding="utf-8" ?> <!-- ============================================================================== Copyright 2018 Quest Software Inc. ALL RIGHTS RESERVED. $Workfile: One-hour gap in events in InTrust log.xml $ $Revision: 0 $ $Modtime: 11/29/2018 1:35:41 AM $ ============================================================================== THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. ============================================================================== --> <ITRTProcessingRule original_parent="\Configuration\Objects\{F81E88B8-5629-4698-AEB7-38731A4B1520}\RuleGroups\{6E6EA780-52CB-4F32-A449-01A8A5D8011E}\ChildGroups\{45905482-9AA7-483F-8CD2-F640B57F262F}\Rules"> <LimitEventsCount>10</LimitEventsCount> <SuppressBySeverity>0</SuppressBySeverity> <Description>This rule is matched if InTrust services have not written any events to the log during the past hour.</Description> <GenerateAlert>1</GenerateAlert> <AlertInitialState>0</AlertInitialState> <Name>One-hour gap in events in InTrust log</Name> <Guid>{E408E12E-539C-4871-9D03-73493FF07495}</Guid> <MatchCondition>01000000900000003C003F0078006D006C002000760065007200730069006F006E003D00220031002E00300022003F003E000D000A003C00720075006C006500200074007900700065003D002200520045004C0022002000760065007200730069006F006E003D00220031002E00300022003E000D000A003C0061007200670075006D0065006E00740073003E000D000A003C002F0061007200670075006D0065006E00740073003E000D000A003C0062006F00640079003E000D000A006D0069007300730069006E006700280074007200750065002C0020002200300020002A0020002A0020002A0020002A0022002C002000220031003A0030003000220029003B000D000A003C002F0062006F00640079003E000D000A003C002F00720075006C0065003E00</MatchCondition> <AlertSeverity>48</AlertSeverity> <Enabled>1</Enabled> <SuppressByAlertCode>0</SuppressByAlertCode> <Schedule>FFFFFF00FFFFFF00FFFFFF00FFFFFF00FFFFFF00FFFFFF00FFFFFF00</Schedule> <VendorKnowledgeBase></VendorKnowledgeBase> <ConditionType>{E00EE0F1-B3DF-4122-89B4-738EF5EC1C52}</ConditionType> <SuppressByName>0</SuppressByName> <AlertSuppression>0</AlertSuppression> <CustomerKnowledgeBase></CustomerKnowledgeBase> <Distribution></Distribution> <AlertName>%RuleName% on %HostName%</AlertName> <SuppressByRuleID>0</SuppressByRuleID> <DoNotSaveEvents>0</DoNotSaveEvents> <SuppressByHostName>0</SuppressByHostName> <Condition></Condition> <AlertComment></AlertComment> <FilterCondition></FilterCondition> <AlertDescription>There were no new events in the log during the past hour.</AlertDescription> <ScheduleEnabled>0</ScheduleEnabled> <SuppressBySiteID>0</SuppressBySiteID> <AlertAssignment></AlertAssignment> <RuleDistribution>0</RuleDistribution> <AlertCode>AE_IT_INT_111</AlertCode> <NotificationFormats> <ITRTNotificationFormat> <Guid>{E408E12E-F9F9-4ea3-9F27-8C44C88D9B49}</Guid> <ComposerTemplate>01000000F834885B1C14B949960CC37CE508B1D02200000049006E005400720075007300740020002500530065007600650072006900740079002500200061006C0065007200740020002D00200025004E0061006D00650025002E00050000007500740066002D003800E600000025004400650073006300720069007000740069006F006E0025000D000A000D000A0041006C0065007200740020007700610073002000670065006E0065007200610074006500640020006F006E00200063006F006D00700075007400650072002000250041006C006500720074002E0048006F00730074004E0061006D00650025002E000D000A0041006C0065007200740020007700610073002000670065006E006500720061007400650064002000610074002000250041006C006500720074002E00540069006D006500470065006E006500720061007400650064004C006F00630061006C00250020002800250041006C006500720074002E00540069006D006500470065006E006500720061007400650064002500200047004D00540029002E000D000A000D000A0046006F00720020006D006F0072006500200069006E0066006F0072006D006100740069006F006E002C00200066006F006C006C006F0077002000740068006900730020006C0069006E006B003A00200025006F007200670070006100720061006D003A005700450042004D004F004E00490054004F005200550052004C002500250061006C006500720074002E0061006C006500720074006900640025002E00</ComposerTemplate> <ComposerId>{C40DBB2E-DF56-43AC-8392-EFB2D0DDCC5A}</ComposerId> <Enabled>1</Enabled> <NotificationType>{E01E93C2-938C-4BBD-88D9-0FD3B0E631E4}</NotificationType> </ITRTNotificationFormat> </NotificationFormats> <DataSources> <ITRTRuleDataSource> <Guid>{E408E12E-8E29-4b0f-AAF1-3A175020090B}</Guid> <DataSourceId>{E408E12E-A35B-4700-83D1-76C19DD49F3A}</DataSourceId> </ITRTRuleDataSource> </DataSources> </ITRTProcessingRule>
Example Rule for gaps in the Change Auditor for AD log:
<?xml version="1.0" encoding="utf-8" ?>
<!--
==============================================================================
Copyright 2018 Quest Software Inc. ALL RIGHTS RESERVED.
$Workfile: One-hour gap in events in Change Auditor for ADAM log.xml $
$Revision: 0 $
$Modtime: 11/29/2018 1:35:27 AM $
==============================================================================
THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
==============================================================================
-->
<ITRTProcessingRule original_parent="\Configuration\Objects\{F81E88B8-5629-4698-AEB7-38731A4B1520}\RuleGroups\{CE5E7578-2EC4-4381-A344-B1367C9C9D73}\ChildGroups\{CE5E7578-A670-4D04-8A63-F0388F1B95A9}\Rules">
<LimitEventsCount>10</LimitEventsCount>
<SuppressBySeverity>0</SuppressBySeverity>
<Description>This rule is matched if the Change Auditor for ADAM service has not written any events to the log during the past hour.</Description>
<GenerateAlert>1</GenerateAlert>
<AlertInitialState>0</AlertInitialState>
<Name>One-hour gap in events in Change Auditor for ADAM log</Name>
<Guid>{CE5E7578-539C-4871-9D03-73493FF07495}</Guid>
<MatchCondition>01000000900000003C003F0078006D006C002000760065007200730069006F006E003D00220031002E00300022003F003E000D000A003C00720075006C006500200074007900700065003D002200520045004C0022002000760065007200730069006F006E003D00220031002E00300022003E000D000A003C0061007200670075006D0065006E00740073003E000D000A003C002F0061007200670075006D0065006E00740073003E000D000A003C0062006F00640079003E000D000A006D0069007300730069006E006700280074007200750065002C0020002200300020002A0020002A0020002A0020002A0022002C002000220031003A0030003000220029003B000D000A003C002F0062006F00640079003E000D000A003C002F00720075006C0065003E00</MatchCondition>
<AlertSeverity>48</AlertSeverity>
<Enabled>1</Enabled>
<SuppressByAlertCode>0</SuppressByAlertCode>
<Schedule>FFFFFF00FFFFFF00FFFFFF00FFFFFF00FFFFFF00FFFFFF00FFFFFF00</Schedule>
<VendorKnowledgeBase></VendorKnowledgeBase>
<ConditionType>{E00EE0F1-B3DF-4122-89B4-738EF5EC1C52}</ConditionType>
<SuppressByName>0</SuppressByName>
<AlertSuppression>0</AlertSuppression>
<CustomerKnowledgeBase></CustomerKnowledgeBase>
<Distribution></Distribution>
<AlertName>%RuleName% on %HostName%</AlertName>
<SuppressByRuleID>0</SuppressByRuleID>
<DoNotSaveEvents>0</DoNotSaveEvents>
<SuppressByHostName>0</SuppressByHostName>
<Condition></Condition>
<AlertComment></AlertComment>
<FilterCondition></FilterCondition>
<AlertDescription>There were no new events in the log during the past hour.</AlertDescription>
<ScheduleEnabled>0</ScheduleEnabled>
<SuppressBySiteID>0</SuppressBySiteID>
<AlertAssignment></AlertAssignment>
<RuleDistribution>0</RuleDistribution>
<AlertCode>AE_AD_ADM_014</AlertCode>
<NotificationFormats>
<ITRTNotificationFormat>
<Guid>{CE5E7578-F9F9-4ea3-9F27-8C44C88D9B49}</Guid>
<ComposerTemplate>01000000F834885B1C14B949960CC37CE508B1D02200000049006E005400720075007300740020002500530065007600650072006900740079002500200061006C0065007200740020002D00200025004E0061006D00650025002E00050000007500740066002D003800E600000025004400650073006300720069007000740069006F006E0025000D000A000D000A0041006C0065007200740020007700610073002000670065006E0065007200610074006500640020006F006E00200063006F006D00700075007400650072002000250041006C006500720074002E0048006F00730074004E0061006D00650025002E000D000A0041006C0065007200740020007700610073002000670065006E006500720061007400650064002000610074002000250041006C006500720074002E00540069006D006500470065006E006500720061007400650064004C006F00630061006C00250020002800250041006C006500720074002E00540069006D006500470065006E006500720061007400650064002500200047004D00540029002E000D000A000D000A0046006F00720020006D006F0072006500200069006E0066006F0072006D006100740069006F006E002C00200066006F006C006C006F0077002000740068006900730020006C0069006E006B003A00200025006F007200670070006100720061006D003A005700450042004D004F004E00490054004F005200550052004C002500250061006C006500720074002E0061006C006500720074006900640025002E00</ComposerTemplate>
<ComposerId>{C40DBB2E-DF56-43AC-8392-EFB2D0DDCC5A}</ComposerId>
<Enabled>1</Enabled>
<NotificationType>{E01E93C2-938C-4BBD-88D9-0FD3B0E631E4}</NotificationType>
</ITRTNotificationFormat>
</NotificationFormats>
<DataSources>
<ITRTRuleDataSource>
<Guid>{CE5E7578-8E29-4b0f-AAF1-3A175020090B}</Guid>
<DataSourceId>{CE5E7578-BC1D-4D97-85E6-C2482AD2214C}</DataSourceId>
</ITRTRuleDataSource>
</DataSources>
</ITRTProcessingRule>