Event Log profiles
NAVIGATION Administration > Configuration > Profiles > New Profile > Event Log (Monitoring) profile type
NAVIGATION Administration > Configuration > Policies
SECURITY Administrator
Using the Event Log type of Monitoring profile, you have the ability to monitor system events and configure notifications for event log messages.
For a comprehensive overview of how profiles and policies work in VSA 10, refer to Policies overview.
Profile configuration settings
Event Log Settings
In Event Log Settings, you can enable event log notifications, disable them, or defer to agent settings. You can also see a list of all configured event log filters once they have been added to the profile.
You can add event log filters to the profile using Add Filter or Import Filter. You can also export any of the configured filters by clicking Export Filter.
Adding event log filters manually
By clicking Add Filter, the Add Filter dialog box opens, where you will configure the following sections:
Details
In the Details section, enter a descriptive name for your monitor. It should describe the types of events that will trigger a notification for this monitor.
Event Logs
In the Event Logs section, you must select at least one event log to monitor.
By default, the Application, Security, and System Windows logs are available in Edit Event Logs.
If you need to monitor anything outside of those logs, you can add them to the event logs list using the Import Event Logs feature.
In Import Event Logs, select a device you want to import event logs from, select the event logs you want to import, and then click Import.
Once the event log is imported, it will be automatically selected for the filter and added to the Edit Event Logs view for any future event log monitor filters you create.
Configuration
The Configuration section is where you will set further filter criteria to narrow down which events in the selected event logs will trigger a notification and what priority that notification is.
| Criteria | Description |
|---|---|
| Contains Keywords | Enter one or more words or phrases, separated by a comma, of which at least one should be present in the body of the event message. EXAMPLE unexpected shutdown, error |
| Does Not Contain Keywords | Enter one or more words or phrases, separated by a comma, of which at least one should not be present in the body of the event message. EXAMPLE successful, finished |
| Event IDs | Enter one or more event codes separated by a comma. EXAMPLE 1 56 431 An event code is displayed as Event ID in Windows Event Viewer. The monitor will generate a notification if any of the event codes entered here are detected in the event log. |
| Sources | Enter an event source name, which is the name of the software that generates the log event. This is displayed as Source in Windows Event Viewer. EXAMPLE Service Control Manager |
| Notification Priority | Select the priority of the notification that will be raised:
|
| Allow Repeating Notifications | Select this check box if you want to allow notifications to be generated for events even if an active notification already exists for that event. |
Importing event log filters
Clicking Import Filter will prompt you to locate a .pcmevt file. These are export files created when you export an event log filter from VSA 10. These files can be imported into any Event Log profile in your VSA 10 account.
Exporting event log filters
Clicking Export Filter will prompt you to select any or all event log filters in the profile to export as .pcmevt files, which can then be retained in case you want to import them in to other profiles.
Event Log Monitor Filter Examples
Failed User Login Filter
Tracking failed user logins is a common staple of event log monitoring, and can be a useful part of a security monitoring policy.
When creating or editing an Event Log profile, click Add Filter, and configure as following:
-
Event Logs: Security
-
Level: Audit Failed
-
Event IDs: 4625
You can set the notification priority as needed.
NOTE If you don’t see these events in your Event Viewer, you might have to Enable Logon Auditing. Once that is enabled, lock your computer and attempt to unlock it with a false password. Then, unlock as normal and check the event viewer for a 4625 event.
User Locked Out
Tracking user lockouts is another common staple of event log monitoring, allowing you to see when users accounts may need to be unlocked.
When creating or editing an Event Log profile, click Add Filter, and configure as following:
-
Event Logs: Security
-
Level: Audit Failed
-
Event IDs: 4740
You can set the notification priority as needed.
NOTE If you don’t see these events in your Event Viewer, you might have to Enable Logon Auditing.
Enable Logon Auditing
NOTE Group Policy Editor is not available in Home versions on Windows 7 or the standard version of Windows 8.
On the device you want to monitor failed logins, open up the Group Policy editor by going to the Start Menu and typing gpedit.msc.
In the Group Policy Editor, go to Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies - Local Group Policy Object > Logon/Logoff.
Right click on the Audit Logon subcategory, and check the box next to Configure the following audit events and click OK to save.
How to...
Create the profile
To create an Event Log profile, complete the following steps:
- From the left navigation menu in VSA 10, navigate to Configuration > Profiles.
- The Profiles page will load. At the top of the page, click New Profile.
-
The Create New Profile page will load.
EXAMPLE
- In the Name section, enter a name for the profile.
- Optionally, enter information about the profile in the Description section.
- In the Profile Type section, select Event Log underneath Monitoring.
- Optionally, assign relevant tags in the Content Tag section.
- Click Next.
- Customize the profile to your needs. Reference the Profile configuration settings section, if needed.
- When you've finished customizing the profile, click Create.
EXAMPLE
Assign the profile to a policy
Next, you'll need to create a policy that defines the devices to which you'd like to automatically apply your configuration. Complete the following steps:
- Navigate to Configuration > Policies. Create a new policy or edit an existing policy.
- Click Assign Profile.
- Locate the profile you'd like to use. Select it by clicking the radio button next to its name.
EXAMPLE
- Click Assign.
- VSA 10 will begin enforcing the selected profile immediately. You can view it in effect at Configuration > Policies.
EXAMPLE
