Event Log Filter / Random

[wpatterson]

Hello,

I've setup the event log filter on a few hosts on my network to log bad logon events.

It works sometimes which is weird .. it seems to be completely random when I do and don't receive the alerts and notifications.

Sometimes they go through just fine, other times I can try to enter a bad password 10 times (to test) and receive nothing.

Under event log filter here is what I have:

Event Logs: Security

Level: Audit Failure

Event IDs: 4625, 529, 530, 531, 532, 533, 534, 535, 536, 537

Notification Priority: Elevated

Any ideas?

thanks!

[wpatterson]

I've verified the event log entries are identical (between the times android pc monitor shows me and doesnt)

[Marius]

The notification will be fired if there is no other notification from the same event filter. This is to prevent getting too many notifications from the same event filter.

Please make sure you delete the previous notification and test again.

[wpatterson]

That makes perfect sense .. thank you!

[JamesP]

Is there any way to control this at all ?  

I'm looking at setting up a filtered event notification to see if nightly backups have completed OK / not (i.e. I want a success notification as well as just a failure notification)

I can see that not being swamped by events is a good idea - but as I understand it that means if I haven't cleared last nights successful backup event I won't get tonights.  Ideally I'd like to be able to set the interval (e.g. don't send the same event within an hour or 12 hours if not cleared etc)

I can see you might want to limit how short an interval this can be set to - maybe an hour minimum ?

Is this possible at all ?

Thanks

[Marius]

We're adding repeating notifications support for event log filters in the next release (3.4.1) - it will be available for subscribers and enterprise users.

As well, we're adding support for Applications and Services event log sources in the event log filter.