• Products
    • View all products
    • Free trials
    • Buy online
  • Solutions
  • Resources
    • All Resources
    • Learning Hub
  • Trials
  • Services
    • Consulting Services
      • Overview
      • Microsoft Platform Services
      • Data Protection Services
      • Unified Endpoint Management
      • Performance Monitoring Services
      • Database Management Services
    • Educational Services
    • Support Services
  • Support
    • Support Home
    • By Product
      • All Products
      • AppAssure
      • Archive Manager
      • Change Auditor
      • Desktop Authority
      • DR Series
      • Foglight
      • KACE
      • Migration Manager
      • NetVault
      • Rapid Recovery
      • SharePlex
      • Toad
      • vRanger
    • Contact Support
      • Overview
      • Customer Service
      • Licensing Assistance
      • Renewal Assistance
      • Technical Support
    • Download Software
    • Knowledge Base
    • My Account
      • My Products
      • My Service Requests
      • My Licenses
      • My Groups
      • My Profile
    • Policies & Procedures
    • Consulting Services
      • Microsoft Platform Management
      • Data Protection
      • Unified Endpoint Management
      • Performance Monitoring
      • Database Management
    • Technical Documentation
    • Educational Services
    • User Forums
    • Video Tutorials
  • Partners
    • Overview
    • Partner Circle Log In
    • Become a Partner
    • Find a Partner
    • Technology Partners
    • Partner Community
    • Deal Alert
  • Blogs
    • IT Industry Insights
    • Quest Solution Blogs
      • Data Protection
      • Database Management
      • ITNinja
      • Microsoft Platform Management
      • Performance Monitoring
      • Toad World Blog
      • Unified Endpoint Management
  • Forums
  • 製品情報
    • すべての製品情報%E3%82%92見る
    • Change Auditor
    • Foglight
    • KACE
    • Metalogix
    • Migration Manager
    • Migrator for Notes to SharePoint
    • NetVault Backup
    • On Demand Migration for Email
    • QoreStor
    • Rapid Recovery
    • Recovery Manager
    • SharePlex
    • Spotlight
    • Toad
  • ソリューション
    • すべてのプラットフォームを見る
    • クラウド管理
    • GDPRコンプライアンス
    • データ保護
      • 概要
      • クラウド管理
      • ディザスタリカバリ
      • バックアップとリカバリ
      • Office 365 データ保護
      • 仮想化管理
      • 重複除外と複製
    • データベース管理
      • 概要
      • DevOps
      • データの準備と分析
      • データベースのクラウド移行
      • データベースパフォーマンス監視
      • データベース管理
      • データベース複製ソフトウェアツール
    • 統合エンドポイント管理
      • 概要
      • エンドポイントコンプライアンス
      • エンドポイントセキュリティ
      • エンドポイントの可視化
    • Microsoftプラットフォーム管理
      • 概要
      • ハイブリッドActive Directoryのセキュリティとガバナンス
      • Microsoftプラットフォームの移行計画と統合
      • セキュリティとコンプライアンス
      • 情報アーカイブおよびストレージ管理ソリューション
      • Windowsのバックアップとリカバリ
      • Microsoft Serverのパフォーマンスと可用性
      • レポート作成機能
      • グループポリシーと権限
    • パフォーマンス監視
  • サービス
    • コンサルティングサービス
      • 概要
      • Microsoftプラットフォーム管理
      • データ保護
      • 統合エンドポイント管理
      • パフォーマンス監視
      • データベース管理
    • トレーニングと認定資格
    • サポートサービス
  • サポート
    • サポートホーム
    • 製品で検索
      • All Products
      • AppAssure
      • Archive Manager
      • Change Auditor
      • Desktop Authority
      • DR Series
      • Foglight
      • KACE
      • Migration Manager
      • NetVault
      • Rapid Recovery
      • SharePlex
      • Toad
      • vRanger
    • お問い合わせ
      • すべて
      • カスタマサービス
      • ライセンス アシスタンス
      • 更新のアシス%E3%82%BFンス
      • 技術サポート
    • コミュ%E3%83%8Bティフォーラム
    • ソフトウェアのダウン%E3%83%ADード
    • ナ%E3%83%AC%E3%83%83ジ%E3%83%99ース
    • マイアカウント
      • マイ プロダクト
      • Myサービスリクエスト
      • マイ ライセンス
      • マイ グループ
      • マイ プ%E3%83%ADフ%E3%82%A1イル
    • ポリ%E3%82%B7ーおよび手順
    • コンサル%E3%83%86ィングサー%E3%83%93ス
      • Microsoftプラットフォーム管理
      • データ保護
      • 統合エンドポイント管理
      • パフォーマンス監視
      • データベース管理
    • リリースノートおよびガイド
    • 教育サービス
    • ビデオチュートリアル
  • トライアル
  • パートナー
    • 概要
    • Partner Circleへのログイン
    • パートナーになる
    • Find a Partner
    • パートナーコミュニティ
    • Deal Alert
  • コミュニティ
Quest Community
Quest Community
  • Site
  • User
  • Site
  • Search
  • User
InTrust
InTrust
InTrust Base Events flow gap from the Windows Event Log
  • Forum
  • Wiki
  • Video Gallery
  • Sub-Groups
  • More
  • Cancel
  • New
  • -InTrust Wiki
    • Events flow gap from the Windows Event Log
    • +Indicators of Compromise detection

Events flow gap from the Windows Event Log

[Alert] On gaps in events in the specific windows event log

Here is an example rule that can monitor gaps in events in any windows log specified as a data source.

The rule is based on missing REL function, more details about REL syntax can be found here 

Example Rule for gaps in the InTrust Server log:

 

One-hour gap in events in InTrust log.xml
<?xml version="1.0" encoding="utf-8" ?>

<!--
==============================================================================

Copyright 2018 Quest Software Inc. ALL RIGHTS RESERVED.

$Workfile: One-hour gap in events in InTrust log.xml $
$Revision: 0 $
$Modtime: 11/29/2018 1:35:41 AM $

==============================================================================
THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
==============================================================================
-->

<ITRTProcessingRule original_parent="\Configuration\Objects\{F81E88B8-5629-4698-AEB7-38731A4B1520}\RuleGroups\{6E6EA780-52CB-4F32-A449-01A8A5D8011E}\ChildGroups\{45905482-9AA7-483F-8CD2-F640B57F262F}\Rules">
	<LimitEventsCount>10</LimitEventsCount>
	<SuppressBySeverity>0</SuppressBySeverity>
	<Description>This rule is matched if InTrust services have not written any events to the log during the past hour.</Description>
	<GenerateAlert>1</GenerateAlert>
	<AlertInitialState>0</AlertInitialState>
	<Name>One-hour gap in events in InTrust log</Name>
	<Guid>{E408E12E-539C-4871-9D03-73493FF07495}</Guid>
	<MatchCondition>01000000900000003C003F0078006D006C002000760065007200730069006F006E003D00220031002E00300022003F003E000D000A003C00720075006C006500200074007900700065003D002200520045004C0022002000760065007200730069006F006E003D00220031002E00300022003E000D000A003C0061007200670075006D0065006E00740073003E000D000A003C002F0061007200670075006D0065006E00740073003E000D000A003C0062006F00640079003E000D000A006D0069007300730069006E006700280074007200750065002C0020002200300020002A0020002A0020002A0020002A0022002C002000220031003A0030003000220029003B000D000A003C002F0062006F00640079003E000D000A003C002F00720075006C0065003E00</MatchCondition>
	<AlertSeverity>48</AlertSeverity>
	<Enabled>1</Enabled>
	<SuppressByAlertCode>0</SuppressByAlertCode>
	<Schedule>FFFFFF00FFFFFF00FFFFFF00FFFFFF00FFFFFF00FFFFFF00FFFFFF00</Schedule>
	<VendorKnowledgeBase></VendorKnowledgeBase>
	<ConditionType>{E00EE0F1-B3DF-4122-89B4-738EF5EC1C52}</ConditionType>
	<SuppressByName>0</SuppressByName>
	<AlertSuppression>0</AlertSuppression>
	<CustomerKnowledgeBase></CustomerKnowledgeBase>
	<Distribution></Distribution>
	<AlertName>%RuleName% on %HostName%</AlertName>
	<SuppressByRuleID>0</SuppressByRuleID>
	<DoNotSaveEvents>0</DoNotSaveEvents>
	<SuppressByHostName>0</SuppressByHostName>
	<Condition></Condition>
	<AlertComment></AlertComment>
	<FilterCondition></FilterCondition>
	<AlertDescription>There were no new events in the log during the past hour.</AlertDescription>
	<ScheduleEnabled>0</ScheduleEnabled>
	<SuppressBySiteID>0</SuppressBySiteID>
	<AlertAssignment></AlertAssignment>
	<RuleDistribution>0</RuleDistribution>
	<AlertCode>AE_IT_INT_111</AlertCode>
	<NotificationFormats>
		<ITRTNotificationFormat>
			<Guid>{E408E12E-F9F9-4ea3-9F27-8C44C88D9B49}</Guid>
			<ComposerTemplate>01000000F834885B1C14B949960CC37CE508B1D02200000049006E005400720075007300740020002500530065007600650072006900740079002500200061006C0065007200740020002D00200025004E0061006D00650025002E00050000007500740066002D003800E600000025004400650073006300720069007000740069006F006E0025000D000A000D000A0041006C0065007200740020007700610073002000670065006E0065007200610074006500640020006F006E00200063006F006D00700075007400650072002000250041006C006500720074002E0048006F00730074004E0061006D00650025002E000D000A0041006C0065007200740020007700610073002000670065006E006500720061007400650064002000610074002000250041006C006500720074002E00540069006D006500470065006E006500720061007400650064004C006F00630061006C00250020002800250041006C006500720074002E00540069006D006500470065006E006500720061007400650064002500200047004D00540029002E000D000A000D000A0046006F00720020006D006F0072006500200069006E0066006F0072006D006100740069006F006E002C00200066006F006C006C006F0077002000740068006900730020006C0069006E006B003A00200025006F007200670070006100720061006D003A005700450042004D004F004E00490054004F005200550052004C002500250061006C006500720074002E0061006C006500720074006900640025002E00</ComposerTemplate>
			<ComposerId>{C40DBB2E-DF56-43AC-8392-EFB2D0DDCC5A}</ComposerId>
			<Enabled>1</Enabled>
			<NotificationType>{E01E93C2-938C-4BBD-88D9-0FD3B0E631E4}</NotificationType>
		</ITRTNotificationFormat>
	</NotificationFormats>
	<DataSources>
		<ITRTRuleDataSource>
			<Guid>{E408E12E-8E29-4b0f-AAF1-3A175020090B}</Guid>
			<DataSourceId>{E408E12E-A35B-4700-83D1-76C19DD49F3A}</DataSourceId>
		</ITRTRuleDataSource>
	</DataSources>
</ITRTProcessingRule>

Example Rule for gaps in the Change Auditor for AD log:

 

One-hour gap in events in Change Auditor for ADAM log.xml
<?xml version="1.0" encoding="utf-8" ?>

<!--
==============================================================================

Copyright 2018 Quest Software Inc. ALL RIGHTS RESERVED.

$Workfile: One-hour gap in events in Change Auditor for ADAM log.xml $
$Revision: 0 $
$Modtime: 11/29/2018 1:35:27 AM $

==============================================================================
THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
==============================================================================
-->

<ITRTProcessingRule original_parent="\Configuration\Objects\{F81E88B8-5629-4698-AEB7-38731A4B1520}\RuleGroups\{CE5E7578-2EC4-4381-A344-B1367C9C9D73}\ChildGroups\{CE5E7578-A670-4D04-8A63-F0388F1B95A9}\Rules">
	<LimitEventsCount>10</LimitEventsCount>
	<SuppressBySeverity>0</SuppressBySeverity>
	<Description>This rule is matched if the Change Auditor for ADAM service has not written any events to the log during the past hour.</Description>
	<GenerateAlert>1</GenerateAlert>
	<AlertInitialState>0</AlertInitialState>
	<Name>One-hour gap in events in Change Auditor for ADAM log</Name>
	<Guid>{CE5E7578-539C-4871-9D03-73493FF07495}</Guid>
	<MatchCondition>01000000900000003C003F0078006D006C002000760065007200730069006F006E003D00220031002E00300022003F003E000D000A003C00720075006C006500200074007900700065003D002200520045004C0022002000760065007200730069006F006E003D00220031002E00300022003E000D000A003C0061007200670075006D0065006E00740073003E000D000A003C002F0061007200670075006D0065006E00740073003E000D000A003C0062006F00640079003E000D000A006D0069007300730069006E006700280074007200750065002C0020002200300020002A0020002A0020002A0020002A0022002C002000220031003A0030003000220029003B000D000A003C002F0062006F00640079003E000D000A003C002F00720075006C0065003E00</MatchCondition>
	<AlertSeverity>48</AlertSeverity>
	<Enabled>1</Enabled>
	<SuppressByAlertCode>0</SuppressByAlertCode>
	<Schedule>FFFFFF00FFFFFF00FFFFFF00FFFFFF00FFFFFF00FFFFFF00FFFFFF00</Schedule>
	<VendorKnowledgeBase></VendorKnowledgeBase>
	<ConditionType>{E00EE0F1-B3DF-4122-89B4-738EF5EC1C52}</ConditionType>
	<SuppressByName>0</SuppressByName>
	<AlertSuppression>0</AlertSuppression>
	<CustomerKnowledgeBase></CustomerKnowledgeBase>
	<Distribution></Distribution>
	<AlertName>%RuleName% on %HostName%</AlertName>
	<SuppressByRuleID>0</SuppressByRuleID>
	<DoNotSaveEvents>0</DoNotSaveEvents>
	<SuppressByHostName>0</SuppressByHostName>
	<Condition></Condition>
	<AlertComment></AlertComment>
	<FilterCondition></FilterCondition>
	<AlertDescription>There were no new events in the log during the past hour.</AlertDescription>
	<ScheduleEnabled>0</ScheduleEnabled>
	<SuppressBySiteID>0</SuppressBySiteID>
	<AlertAssignment></AlertAssignment>
	<RuleDistribution>0</RuleDistribution>
	<AlertCode>AE_AD_ADM_014</AlertCode>
	<NotificationFormats>
		<ITRTNotificationFormat>
			<Guid>{CE5E7578-F9F9-4ea3-9F27-8C44C88D9B49}</Guid>
			<ComposerTemplate>01000000F834885B1C14B949960CC37CE508B1D02200000049006E005400720075007300740020002500530065007600650072006900740079002500200061006C0065007200740020002D00200025004E0061006D00650025002E00050000007500740066002D003800E600000025004400650073006300720069007000740069006F006E0025000D000A000D000A0041006C0065007200740020007700610073002000670065006E0065007200610074006500640020006F006E00200063006F006D00700075007400650072002000250041006C006500720074002E0048006F00730074004E0061006D00650025002E000D000A0041006C0065007200740020007700610073002000670065006E006500720061007400650064002000610074002000250041006C006500720074002E00540069006D006500470065006E006500720061007400650064004C006F00630061006C00250020002800250041006C006500720074002E00540069006D006500470065006E006500720061007400650064002500200047004D00540029002E000D000A000D000A0046006F00720020006D006F0072006500200069006E0066006F0072006D006100740069006F006E002C00200066006F006C006C006F0077002000740068006900730020006C0069006E006B003A00200025006F007200670070006100720061006D003A005700450042004D004F004E00490054004F005200550052004C002500250061006C006500720074002E0061006C006500720074006900640025002E00</ComposerTemplate>
			<ComposerId>{C40DBB2E-DF56-43AC-8392-EFB2D0DDCC5A}</ComposerId>
			<Enabled>1</Enabled>
			<NotificationType>{E01E93C2-938C-4BBD-88D9-0FD3B0E631E4}</NotificationType>
		</ITRTNotificationFormat>
	</NotificationFormats>
	<DataSources>
		<ITRTRuleDataSource>
			<Guid>{CE5E7578-8E29-4b0f-AAF1-3A175020090B}</Guid>
			<DataSourceId>{CE5E7578-BC1D-4D97-85E6-C2482AD2214C}</DataSourceId>
		</ITRTRuleDataSource>
	</DataSources>
</ITRTProcessingRule>

  • Share
  • History
  • More
  • Cancel
Related
Recommended
  • Company
    • About Us
    • Buy
    • Contact Us
    • Careers
    • News
  • Resources
    • Industry Insights Blog
    • Communities
    • Customer Stories
    • Documents
    • Events
  • Support
    • Professional Services
    • Renew Support
    • Technical Support
    • Training & Certification
    • Support Services
  • Social Networks
    • Facebook
    • LinkedIn
    • Twitter
    • YouTube
  • © 2025 Quest Software Inc. ALL RIGHTS RESERVED.
  • Legal
  • Terms of Use
  • Privacy
  • Community Feedback & Support
  • Cookie Preference Center
  • 会社名
    • 会社情報
    • 購入
    • お問い合わせ
    • 採用情報
    • ニュース
  • リソース
    • ブログ
    • お客様の事例
    • ドキュメント
    • イベント
    • ビデオ
  • サポート
    • プロフェッショナルサービス
    • サポートの更新
    • テクニカルサポート
    • トレーニングと認定資格
    • サポートサービス
  • ソーシャルネットワーク
    • Facebook
    • Instagram
    • LinkedIn
    • Twitter
    • YouTube
  • © 2025 Quest Software Inc. ALL RIGHTS RESERVED.
  • 「法務」
  • ご利用規約
  • 個人情報保護方針
  • コミュニティのフィードバックとサポート