Windows Event Log Rules and Filters by luckboy


Windows Event Log Rules and Filters

More Info
									Windows Event Log Rules and Filters
Activeworx Security Center (ASC) can pick up any Windows Event Log entries in near real-time from many servers across an enterprise and can also monitor events coming from many other assets such as firewalls, IDSes, and Syslog or SNMP enabled network devices, all from a single console. Based on the format of the logs that are going to be retrieved, ASC uses a set of rules to determine if the event it sees is one of interest and should be logged to an ASC database, or if its just ignored and dropped. Once you have created an Asset within ASC, for example a Windows Application Server on your network you would like to monitor, you may want to add or remove rules based on exactly what information you would like ASC to gather and make available. By default ASC 3.0 includes 112 rules that directly match all the Windows Security Events. This means that with the default rule configuration for Windows Servers ASC will only retrieve those events that go into the Security section of the Windows Event Log. If an organization wants to monitor a different Windows Event Log such as the Application, System, Directory Services, or DNS event logs, then a new rule must be created to match the information you would like ASC to retrieve. As an example we will add a rule that retrieves the entire Application Log from a Windows server.

Step 1 - Add Rule
Open the ASC Desktop application and click on Resources > Rules > Windows > then right click and Add Rule. You see this dialog, configure the following settings:

Step 2 - Configure Event Details
After you configure the basic rule settings, switch to the Event Details tab and select the type of Windows Event Log you would like to monitor as well as the Event Type. If you leave an asterisk in every column ASC will retrieve the entire event log; however, should you have a specific network application that is logging to the Windows Application Log or are trying to retrieve only very specific events, this rule can be easily configured based on the following parameters:

Step 3 - Define Assets
In the next page you will see that we have defined this new rule to be added to three of our five Windows servers (a.k.a. Assets). This means we will be retrieving the Entire Windows Application Log from these three servers and only the Windows Security Log on the other two

The Windows Rules dialog will display the new rule once you hit Ok as shown below:

Step 4 - Verify Asset
In this step you should go back up to Objects > Assets and double click one of the Windows Servers you selected in your new rule to verify that the rule has been added. In the Rules tab of your Asset Properties the new rule should be listed as True and Log as shown below:

Step 5 - Done – Lets View Events
Once these steps have been taken the new Application Log Events on this particular group of servers should start coming up in the console view of the Event Framework database. NOTE: It is rarely necessary to view ALL events from any of the Windows Event Logs; however, with this new flexibility you can then enable or disable specific rules in each individual asset as well as take a step down in Resources to Filter Rules and create some filters based on what you do not want to see and what is truly of interest. It is recommended that rules be created for specific events not entire event logs.

To top