Problem with filtering windows event log

General
1

I am following the examples in https://checkmk.atlassian.net/wiki/spaces/KB/pages/9473844/Monitoring+Windows+security+log+with+the+CMK+Event+Console+rule+logwatch

I created some filters and they are working but now i want to filter on event id 1102 and whatever i try i can’t get it working

it is just a demo setup

checkmk1102
checkmk11021455×47 9.4 KB

The filter i am using in the ruleset text to match

.{3} [0-9]+ [0-9:]{8} ..1102 \S+ The audit log was cleared. Subject: Security ID: \S* Account Name: (\S+) Account Domain: \S+ Logon ID: \S+

But no matching seems to happen and it allways get to the unknow event log …

Any idea what i am doing wrong here?

2 
..1102

The first dot is the id of the eventlog category, this might be more than one digit.

.{3} [0-9]+ [0-9:]{8} [0-9]+\.(1102) ([^ ]+) (.*)

Therefor you have the [0-9]+ what matches any number.

Addtionally, the Eventlog entry in your example does not have the date that the regex expects and does not look like a windows event log entry.
The first regexes up to the 8} are only to match for the date string that is the prefix in every windows event log line.

3

Hi,

That is the part that i find strange but i am following the examples and they seem to do it like that.
I used regex 101 now and i noticed a mistake and adjust accordingly
.{3} [0-9]+ [0-9:]{8} ..1102 \S+ The audit log was cleared. Subject: Security ID: \S* Account Name: (\S+) Account Domain: \S+ Logon ID: \S+

Still using the numbers in the front and it is working, or should i just ignore the examples in the link?

4

The examples are fine, are you sure, that you don´t rewrite the event log message ?
I would expect another format.

My event log entries have this format as a message:

Feb 03 23:27:55 32768.0 hcmon Detected unrecognized USB driver (\Driver\icausbb).

5

Ii Indeed do a rewrite as mentioned in the examples for the unknow events

rewrite
rewrite794×190 11.4 KB

Maybe it is better to turn that completely off

6

yes, that rewrites the logs into a string that does not match, either you delete that our you configure the regex for the target string.

7

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.