Windows Rule Syntax for Event Log Monitoring |
Rules Format: alert_level;event_log_type;event_source/event_type;threshold_number;comment_or_description
|
Field |
Example Values |
Notes |
alert_level |
red | yellow |
The level of alert that will be generated if the number of matching
event log entries fall outside of specified parameters. |
event_log_type |
system|security|application
|
The Windows Event Log type |
[event_source]/[event_type] |
"/error"  |
match on all errors |
"perl/"  |
match on all perl events |
"perl/error" |
match on perl errors |
|
Either event_source OR event_type is required
|
threshold_number |
1 |
If the number number of matches in the Event Log reaches or passes this number, the specified alert_level will be generated. |
comment_or_description |
System Log XYZ errors |
Optional comment or description that will appear if this alert
is triggered.
|
Note: Once Rules have been updated, [INODE=#][PREV_MATCHES=#] appears in the rule.
You should leave this there because these values stop PureSecure from notifying
you more than once about particular matches.
|
|
|
|