Windows Rule Syntax for Event Log Monitoring
Rules Format: alert_level;event_log_type;event_source/event_type;threshold_number;comment_or_description
Field Example Values Notes
alert_level red | yellow The level of alert that will be generated if the number of matching event log entries fall outside of specified parameters.
event_log_type system|security|application
The Windows Event Log type
[event_source]/[event_type]
"/error"  match on all errors
"perl/"  match on all perl events
"perl/error"  match on perl errors
Either event_source OR event_type is required
threshold_number 1 If the number number of matches in the Event Log reaches or passes this number, the specified alert_level will be generated.
comment_or_description System Log XYZ errors Optional comment or description that will appear if this alert is triggered.
Note: Once Rules have been updated, [INODE=#][PREV_MATCHES=#] appears in the rule. You should leave this there because these values stop PureSecure from notifying you more than once about particular matches.
Unix | Win32