This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
RSAAdmin
Beginner
Beginner
‎2011-10-18 11:48 AM

Rule to alert when a Windows server is not generating Security logs

One of our servers has an issue each week... it stops generating/logging messages to the Security log. It keeps generating Application logs, and they're collected, so the collector doesn't know there's a problem, and doesn't generate any 400029 messages.

 

Does anyone have a rule written to alert when Windows Security logs aren't received?

 

Sorry if this seems too easy for this board. I'd create the rule myself, but I really don't have an hour to spare right now.

0 Likes
Reply
1 Reply
RSAAdmin
Beginner
Beginner
‎2011-10-25 09:11 AM

I do not have a specific rule for this prepared, but I imagine it could be created with fairly easily and in a similar fashion to Multithread on the Device IP Observe for when a Security log comes in (use the event_source variable for this and filter for "Security") Decide on the delay time Observe for an absence of any more Security Log events after the specified delay time (use the "No events within X" threshold)
0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.