This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Attempting to create a simple alert for specific Application Event Log ID

I feel like this should be easier, but all I'm trying to do is create an alert on Event ID 502 from the Application log. 

I've added Application Logs as a Data Source on this collection of workstations, even confirmed by manually browsing Repository Viewer that the 502 event ID has been logged and ingested by Intrust, however my alert fails to alert on it. 

 

I made a copy of the Unexpected reboot alert, changed the data source to Windows Application Log and modified the XML as follows; Is there a reason this isn't working? Do I need to specify the application log somewhere in the XML code?

Thanks for any help. 

 

<?xml version="1.0"?>
<rule type="REL" version="1.0">
<arguments>
</arguments>
<prefilter>

in_range(EventID, "502");

</prefilter>
<body>

EventID = 502
and striequ(Source, "eventlog");

</body>
</rule>

Parents
  • Hi duran,

    Copying from another rule is worthy in case the rule is complex, and vice versa. So, in your case I recommend to create the rule from scratch, in some rule group click "New Rule", choose "Single event" -> "Windows Application Log" -> "Custom Filter for Application Log" -> "Event ID" -> "Edit", set "From 502 to 502" and give the name to this rule, that's it.
Reply
  • Hi duran,

    Copying from another rule is worthy in case the rule is complex, and vice versa. So, in your case I recommend to create the rule from scratch, in some rule group click "New Rule", choose "Single event" -> "Windows Application Log" -> "Custom Filter for Application Log" -> "Event ID" -> "Edit", set "From 502 to 502" and give the name to this rule, that's it.
Children
No Data