• State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 14 subscribers
  • Views 4955 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Attempting to create a simple alert for specific Application Event Log ID

duran
over 6 years ago

I feel like this should be easier, but all I'm trying to do is create an alert on Event ID 502 from the Application log. 

I've added Application Logs as a Data Source on this collection of workstations, even confirmed by manually browsing Repository Viewer that the 502 event ID has been logged and ingested by Intrust, however my alert fails to alert on it. 

 

I made a copy of the Unexpected reboot alert, changed the data source to Windows Application Log and modified the XML as follows; Is there a reason this isn't working? Do I need to specify the application log somewhere in the XML code?

Thanks for any help. 

 

<?xml version="1.0"?>
<rule type="REL" version="1.0">
<arguments>
</arguments>
<prefilter>

in_range(EventID, "502");

</prefilter>
<body>

EventID = 502
and striequ(Source, "eventlog");

</body>
</rule>

Parents
  • 0 over 6 years ago
    Ok I figured it out, I needed to update (Source, "eventlog"); with the source of that particular Event ID which was (Source, "Microsoft-Windows-Folder Redirection");

    Now trying to figure how to have the User Account also added to the alert
Reply
  • 0 over 6 years ago
    Ok I figured it out, I needed to update (Source, "eventlog"); with the source of that particular Event ID which was (Source, "Microsoft-Windows-Folder Redirection");

    Now trying to figure how to have the User Account also added to the alert
Children
No Data