Kaseya Community

Security Log Monitoring Event Set Issue

  • I am trying to monitoring for users that remotely log into a domain controller. The Event I am looking to monitoring is Success Audit within the Security log, event ID 4624

    When I configure the event set to monitoring for this it produces too many alerts. I am trying to narrow it to only generate an alert when within the description it says "Logon Type: 10" When I add this constraint within the Description Filter of the Event set, it no longer produces anymore alerts.

    Does anybody know how I can solve this issue so I can monitor for accounts remoting into monitored servers.

    Thanks

  • Under the description are you putting    *Logon Type: 10*    with the asterisks?



    spelling
    [edited by: GDRBrian at 3:41 PM (GMT -7) on Aug 25, 2015]
  •  

    I would do what  recommended. Wrap the text you are looking for in asterisks *your text here*.

    This should let you capture your target text and ignore the description text before and after your text.

  • GDRBian,

    I have used that exact string under the description (*Logon Type: 10*) and no alerts are produced. I tried it with a space after the colon and without it. Neither produce any alerts. I did confirm that the Security events do show up when I remote into the server.

    Chris

  •  

    Try using *10* if this is a unique number in the event log description.

    Perhaps it is not capturing a character in between "Logon Type: and 10" such as a space.

    If this still does not work, provide us with a screenshot of the event set and how it is applied to the machine.

  • I have tried it with spaces and without and it has not worked.

    Here is a screenshot of the event set applied to a system

    Sorry if it is blury.

    Here is the Event set entry

    And here is the event I ma trying to capture.

  • Hey  

    Thank you for providing us with this information.

    The trick with event log alerts is the amount of characters in a message may appear differently when reviewing it in different interfaces.

    In this case, the screenshot you provided of the event looks much different then what generates in my event viewer.

    Here is what the event looks like reviewing in the event viewer itself on my machine:

    So, I then copied it exactly how it is logged in the event into my event set and wrapped it in asterisks.

    I then tested it and have generated several alerts using this exact event set:

    Here is the event set I built if you would like to compare:

    https://dl.dropboxusercontent.com/u/58075471/4624-%20type10.xml

    Let me know if that works for you.