6 Replies Latest reply on Jan 9, 2020 3:16 PM by Steve Gibbs

    Check Windows Event OR not finding windows events

    Jesse Louderback
      Share This:

      I'm not quite sure what I'm doing wrong honestly.  I was trying to get a specific event ID and it's not working.  So I backed up a bit and picked a known good event as for a proof of concept.  The event ID 4624 was chosen as the proof of concept knowing it's all over systems as the "Successful logon".  Everything I'm trying just gets me the OR as executed as if nothing is found.  I understand it's supposed to exit as failed per the instructions when an event is found.

      I've gone further out and expanded it to scan everything thinking I selected the wrong selection.  Same result "executed" no events get reported.

       

      Am I missing something?

       

      I'm not wanting to collect logon info just using this event ID as it is common enough to know I should be getting a hit on found events.

       

      Below is my OR I'm attempting to use.

      OR.PNG

        • 1. Re: Check Windows Event OR not finding windows events
          Steve Gibbs

          Jesse,

           

          It is clearly stated that the first time the rule is run that it will not "Fail" in the description.

           

          "This step checks for a specified string in the Windows event log files. If an event matching the string is found, the step returns an error and an alert can be sent. The first time this step is executed, no alert is generated."

           

          Please test again, this time set it to run on a schedule, for testing, use every ten minutes and then log off test device and log in again to use your event ID '4624'.  This will then look for the NEW events vs. past events.

           

          You can subscribe to this Alert based on your preferences or have a ticket automatically created if this event ID is found. (Be careful with this and only look for those ID's that only occur infrequently and when attention is required).

           

           

          Or look in the Alert and Event Log:

           

          You may wish to be more specific and replace the wild card, '*', with specific text/string per Op Rule, Event ID, so the Alert may be more comprehensive.

           

          Be aware that the default Op Rule only checks the following logs:

           

          Application, Security, Setup, and System

          Keep us posted!

           

          Steve

          • 2. Re: Check Windows Event OR not finding windows events
            Jesse Louderback

            Steve,

              Thank you, I didn't think about trying to get it to run on a set schedule to get past the initial "executed".  I did read the initial was going to look for events on the first run but thought a re-assignment would count as a second run.

             

            So I assigned it on login as you recommended.  I'm now seeing the rule as running but it's still not finding event id 4624. 

             

            Below is a screenshot of the all alerts and events for the test system we are trying this on.

             

             

            Is there possibly a setting that has to be set that maybe we missed during setup?  I can verify through direct access of the system I see the events correctly.

            • 3. Re: Check Windows Event OR not finding windows events
              Steve Gibbs

              Let me run a few tests using the same EVENT ID as you.  Make sure you are running as system vs. check the box in the properties of the device assigned to "Run as Current User".

               

              I will respond later today or in the morning with my results.

              • 4. Re: Check Windows Event OR not finding windows events
                Steve Gibbs

                I just finished testing and it worked without issue:

                 

                My Op Rule Log:

                 

                My Alerts:

                 

                Question: Are you logging into a device locally or trying via RDP?  I did my test using Remote Control and logging in as if I was sitting at the device.

                • 5. Re: Check Windows Event OR not finding windows events
                  Jesse Louderback

                  Steve,

                  Actually I finally got it semi working then discovered another issue.  Mine only appears to be scanning the application log.  Which explains why my security event check isn't finding anything.  As soon as I put in an Application event ID I started getting hits.  What made me realize it is your OR log shows it scanning the other event logs.  Mine's just doing application, not sure why I had ALL selected.

                   

                  I'll have to play with it some more but you got me on the right track as a proof of concept.

                  • 6. Re: Check Windows Event OR not finding windows events
                    Steve Gibbs

                    If you are satisfied with this post please mark as answered so others won't consider responding.  If not, just let us know what else you may want.  By the way, there are better ways to capture logins than going thru the event ID step. You can test out "Main Device User" Step.