RSA Admin

Regex and Content field in Alerter

Discussion created by RSA Admin Employee on May 3, 2010
Latest reply on May 6, 2010 by RSA Admin

Hi all, i am bit new to regex can anyone help me finding one Word from the content field?

The scenario is

We are monitoring the Windows Event logs and i want to get alerted as soon as someone sets "No Password Expiry" option on users in Active directory

I know that the event ID will be 642 so i can just use them but i want to filter the events for

 

User Account Control:     'Don't Expire Password' - Enabled

User Account Control:     'Don't Expire Password' - Disabled

 

Previously i was using Like option in the filtering to find Disabled OR enabled filed and was working but somehow RSA changed something and its not working.

Can any suggest a better way to do that?

Thanks.

Outcomes