When we write rules and monitors to look at events in the event log…. typically the most common criteria are Event ID and Source. We also have a list of other common event properties to choose from:
However, this list doesn’t always work. For instance – if we add someone to a Global Group in AD…. this might create a Event ID 632 in the security event log on a DC – but possibly we only want to alert on this when the group being modified is “Domain Admins”. Somewhere in that event description is the word “Domain Admins”.
So – the BEST solution…. is to figure out “which parameter” the Domain Admins falls into. To figure out which parameter is which value isn’t always simple. Here is a resource for security events:
Windows 2000 Security Event Descriptions (Part 1 of 2) and Windows 2000 Security Event Descriptions (Part 2 of 2)
What we can see here is that for event ID 632 – the value of “Domain Admins” will be placed as “Target Account Name” which from the links above… is Parameter 3. Therefore – we could make our rule look like so:
Now…. this works great…. but what if we don’t *know* which parameter is which value? See below for some cool tools on finding even parameters.
One option is to use something like “anywhere in the event description, contains specific text”. The problem is – we don’t let you pick “Event Description” in the most common event fields… for GOOD reason.
Before we continue – let me STRESS that using event parameters is the correct way to match on specific lines in an event description wherever possible. If we try and search the entire event description, there is a substantial cost to doing this… from an agent design/performance perspective…. as matching on parameter is the lowest impact. If you match on an event description – this description is localized text and wont work in all locales. By writing a rule that matches on event description…. if you didn’t specify several other criteria… there is a risk that every single event description would be searched, across all agents. Very bad. So keep this in mind…. if you decide to use this.
Ok – warnings aside: Here is how you can use that:
Instead of using a common field, or a parameter – type in a “Parameter name not specified above”. At some point, we should document what all is available here.
Your new rule should look like this:
Now…. back to the “right” way to do this…. using event parameters.
Here is an example event that I want to match on:
Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 636
Date: 6/9/2008
Time: 7:46:34 AM
User: OPSMGR\kevinhol
Computer: OMTERM
Description:
Security Enabled Local Group Member Added:
Member Name: –
Member ID: OPSMGR\test
Target Account Name: Administrators
Target Domain: Builtin
Target Account ID: BUILTIN\Administrators
Caller User Name: kevinhol
Caller Domain: OPSMGR
Caller Logon ID: (0x0,0x16C2B850)
Privileges: –
Here is an example command line using LogParser:
C:\Program Files\Log Parser 2.2>Logparser.exe “select top 1 Strings AS Parameters FROM security where EventID=636”
Here is the output:
Parameters
—————————————————————————————————————————
-|%{S-1-5-21-203549945-3836543268-730333451-1622}|Administrators|Builtin|%{S-1-5-32-544}|kevinhol|OPSMGR|(0x0,0x16C2B850)|-
We can gather a few things from this. Parameters will be delimited by a “|” symbol. The first parameter in this example is “-“. We can also gather that this tool does not resolve GUID’s properly, by looking at the second parameter, which is actually. The the “Member ID” value of “OPSMGR\test” which is a domain user account. Lastly – the 3rd parameter, which is what I am looking to match on, is “Administrators”.
Even if the tool does not resolve GUID’s, that is of little concern, and the point of using the tool is to determine the parameter values in the first place.
Using LogParser with an exported EVT file:
I want to add another example…. lets say you have an exported log in EVT format – and want to search that log in LogParser:
Logparser.exe -i:EVT “select top 1 Strings AS Parameters FROM ‘C:\Temp\exportedlog.evt’ where EventID=2115”
This will parse a saved EVT export of any log that was copied to C:\Temp
NOTE on Server 2008:
I got notified recently that LogParser threw an error when trying to find event parameters in the Security event log on Windows 2008 Server. As usual – this was caused by UAC getting in the way. Make sure you right click LogParser shortcut and run “As an Administrator” in order to make this work – otherwise it will throw a Syntax error about Strings and TEXTLINE. If you run this “As an Administrator” it worked just fine on 2008 server…. even on x64 version.
Morning,
So, what would I do in a case like this, where I need to capture the info that is part of the description, based on this URL I was reading, along with yours:
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/a-platforms-admin-guide-to-setting-up-event-rules-monitors-in/bc-p/3681203#M4896
I collapsed the systemviewportion and left with this portion:
–
Relying party trust….and it goes on with the remainder of the info I need, then.
Following that URLs info, I would select Parameter1 for the field under the EventID field in the monitor I created.
Thank you so much, as always.
I should have been clearer. It left me with this portion:
–
–
–
Relying party trust ‘Bentley IMS’ MSIS8051: Signing certificate with thumbprint ‘EF63E7AF6626ADFBCBC4E38111DD41F5EB4D7C17’ expired on 11/20/2022 6:59:59 PM. Relying party trust ‘ZScaler’ MSIS8051: Signing certificate with thumbprint ‘885FF93FD6FFB769DA4841BF1609A9FF568BA225’ expired on 11/16/2022 7:00:00 AM.
How would you suppress alerts from a rule based on system event’s repeating event descriptions? For example, I have an SMTP server logging failures for various customer domains, and it logs this every time it retries to send the email. We only need notified the alert one time or only 1 alert per day to let us know that a config change is necessary for xyz customer.
Hi Ethan
with some Alert Rules you can configure alert suppression.
click on the alert in an active- or closed alerts view.
then within “Alert Details” Pane (the lower pane) click on the name of the “Alert Rule” (which is a clickable hyperlink). (Be sure it’s an alert Rule, not an alert monitor)
in the alert rule properties windows, go to the next tab “configuration”
the lower textbox that says “responses:” click on the “VIEW”-button on the right (not on the blue hyperlink above it).
if a box opens, you’ll see two buttons below the textbox, the second one saying “alert suppression”.
click on that one
you can suppress the alerts based on having the same:
EventDescription,ID,event source,event level, etc.
When suppressed the rule only alerts the first time when it’s ‘new’ and accumulates repeatcounts for everytime an event matches the suppression parameters you’ve selected.
(“New” being resolution state “0”)
The rule will only alert again (for this specific instance and its matching suppression parameters), when the alert is “closed” manually. (resolution state “0”)
Hey Kevin – so how would we find for other events? is there some type of tool or script that we can feed a certain event into and get out which line is considered to be which parameter ?