I can’t seem to find a rule to configure this with the builtin (logwatch plugin), this is for all errors\warnings and not when a specific event id occurs.
I found multiple topics on this forum but much have no answers or don’t seem to have the same question that I have.
Also not so experienced with Windows System Log, but as far as I understand the agent configuration you have to send all to the monitoring server, forward logwatch to event console with help of the rule "
Logwatch Event Console Forwarding "and then do the filtering in event console. Finally the alerting on the host is controlled with rule “Check event state in Event Console”.
logfile:
# - 'EventLogName': <crit|warn|all|off> + [context|nocontext]
# - 'Application': crit context # example
# - 'System': warn nocontext # another example
# - 'YourOwn': all nocontext # yet another example
# - '*': warn nocontext # This is default params for not missing entries
So I guess the entry for the logfile sections would be “Security: all context”.
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.