Поделиться через


Authoring rules for Windows 2008 events, and how to cheat

<!--[if lt IE 9]>

<![endif]-->

Comments

  • Anonymous
    February 25, 2009
    The comment has been removed

  • Anonymous
    February 09, 2011
    Kevin What are you using to pull the logs together.  I am trying to pull the log files form about 40 servers on a frequent basis to a certailised server.  I have heard that logpaser cannot access Windows 2008 64 bit server Any help is appreciated.  This needs to be an automated background type process

  • Anonymous
    April 13, 2011
    Hi Gavin, I do this kind of stuff w/ logparser. I use a scheduled script that exports the event data to a file (.evt) and then I use logparser to upload the content of the exported file to a database directly. This works fine, even for Windows 2008 64 bit server. I have now issues with the operation of Task Scheduler (Windows 2008 64 bit server) itself. If I run the task, either manually or schedulet, my script is not launched at all (although the history log states that it does). When I run the script manually, everything is just fine. Very annoying...

  • Anonymous
    February 15, 2012
    @Ervin. Have you fixed the issue with Task Scheduler not running on Windows 2008 64bit? I think its not working because of "Startin (optional)" info within "Edit Actions" is missing. I know it says it is optional, but it should say mandatory instead. If you provide the folder name where you are running the script from without the quotes, it will work. I hope this info helps.

  • Anonymous
    March 21, 2013
    Hello Kevin, I am trying to set the Event Source as "Microsoft-Windows-Security-Auditing" along with the event id & event level however something is wrong with it as the server for which i set up the Audit Logon Failure rule is not alerting on the SCOM server..FYI , I cannot bypass the Event Source for the windows 2008 server as it is a mandatory field i need to include in the expression.... Just wanted to know the exact event source for the Audit logon failure event ID 4625.. Your help would be highly appreciated...

  • Anonymous
    June 30, 2014
    Hello Kevin,

    I am asking a simple question I know....but please humor me. When I am configuring the rule (Search for rule-> open properties-> Configuration Tab-> Edit the Data source) and on the "expression" tab where I am able to insert the parameter name, Operator, and Value. I would like to know what Parameter Name and Operator to tie the "$Data/EventData/DataItem/EventData/Data[@Name='TargetUserName']$" Value to? Looking for changes to the "Domain Admins, Enterprise Admins, and Schema Admins groups" and want to see what I can tie event ID's 4728 and 4729 to.

    I am seeing alerts in the console for all security groups and want to narrow it down to just the specific Admin groups and currently unsuccessful.

  • Anonymous
    December 03, 2015
    TYPO: 528 instead of 529 FAILURE Event

    The event in question – has changed from EventID 528 on Server 2000/2003 – to EventID 4625 on Server 2008:

    528->4624
    529->4625