[Xymon] XymonPSClient and Security eventlog

Dominique Frise Dominique.Frise at unil.ch
Thu Feb 25 16:23:16 CET 2016


Brilliant Zak!

Thank you very much for this speedy and valuable answer.


Dominique - UNIL?

________________________________
De : zak.beck at accenture.com <zak.beck at accenture.com>
Envoyé : jeudi 25 février 2016 15:34
À : Dominique Frise; xymon at xymon.com
Objet : RE: XymonPSClient and Security eventlog

Hi Dominique

This is the event log 'Level' filter.

The client uses the Windows event log filtering capabilities built into Windows. You can try these out yourself in Event Viewer by navigating to the Security log and selecting Filter Current Log....

You will see when doing this that despite selecting the security log, for level the window only offers you Critical, Warning, Verbose, Error or Information and not Audit Failure / Success. You should find that playing with the options, on the Security log, only "Information" actually returns anything.

Looking at the columns for Security log, you should see that the first column changes from Level to Keywords, and that Audit Failure/Success are actually keywords and not a level.

Unfortunately for these reasons it appears there is no way to filter on Audit Failure, unless you can configure an alert with a regex to look specifically for some text in the message that relates to the failure or the event id.

<images dropped>

Zak

From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Dominique Frise
Sent: 25 February 2016 11:00
To: xymon at xymon.com
Subject: [Xymon] XymonPSClient and Security eventlog


?Hi,



Question regarding alerting on Security event_log.



Extract from xymonclient.ps1:


      # default logs - may be overridden by config
    $wantedlogs = "Application", "System", "Security"
    $wantedLevels = @('Critical', 'Warning', 'Error', 'Information', 'Verbose')
    $maxpayloadlength = 1024
    $payload = ''



When problems occurr, "Warning", "Critical or "Error" are reported in Application and System event_log,

but in the Security event_log "Audit Failure" will be reported.

We don't see how this condition is handled.



Did we missed something ?



Thanks,

Dominique Frise - UNIL
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20160225/0591135e/attachment.html>


More information about the Xymon mailing list