RSA Admin

Windows Event Logs Alerts

Discussion created by RSA Admin Employee on Jul 7, 2010
Latest reply on Jul 24, 2010 by RSA Admin

I'm trying to parse down the amount of data in an alert message for a windows event log. Is there any way of just parsing this

 

Security_632_Security
<@fld61:*PARMVAL(event_user)><@utcstamp:*UTC($MSG,'%B %D %N:%U:%O %W',datetime)><@groupid:*PARMVAL(user_id)><@username:*PARMVAL(group)><@category:Account_Management> <@event_user:*RMQ(event_user)><event_log>,<linenum>,<day> <datetime>,<event_id>,<event_source>,<event_user>,<event_type>,<event_computer>,<category>,<data>,<event_description>: <space> Member Name: <misc_name> Member ID: <misc_id> Target Account Name: <group> Target Domain: <domain> Target Account ID: <user_id> Caller User Name: <c_user_name> Caller Domain: <c_domain> Caller Logon ID <c_logon_id> Privileges: <privileges>

 

down to just a few of the variables? The alert goes out to an on-call phone and dealing with the wall of text is painfull.

Outcomes