Event Log Managment

Logs .. Logs and More Logs

Event Triggers

I have been asked this question several times so I thought it would be a good time to answer it via a blog post for everyone to use.

“How can I set the Windows Event Viewer to trigger when a certain event happens?” 

Well if you want to set a trigger for something very simple such as ‘when anyone logs in’ or ‘when an account gets created’ that is very simple.  Just right click on the event in the EventViewer and select “Attach Task to This Event…”, then select if you want Windows to launch a program, send an email or display a message. 

It’s that quick and easy if you want to look for something simple.  Now the question “when anyone logs in” is not quite so easy.  Becuase if you recall from an earlier blog post, there are different types of logins.  So if we just look for logins we will be flooded with triggers because of all the network (type 3) and service (type 5) logins that happen all day everyday. 

 The question that arrises most often is “Can event viewer let me know when someone does a remote desktop to one of my servers?”  The answer to that is no.  Take the following screen shot for example.

Microsoft doesn’t give us the ability to look for anything in the event message body, such as the logon type.   But wait you say, EventViewer can do a trigger that will launch a program or script, we can just do it that way.  Not so fast, the program option doesn’t pass the event to the program or script.  So we are unable to parse the message for our logon type or other information.

So the next question comes, how can we trigger (alarm/alert) for specific information that is located in the event message.  Well you have 2 options, 1st is to write your own script (or get one from the internet) that will parse the Event Log and look for your information.  2nd would be to use a SIEM/Log Management tool such as LogRhythm.   Having done manual log management (and via scripts) for many years this could be a painful option.  I’ve been in the SIEM/Log Management business since 2004, I can tell you that many Admins have benefited from letting someone else doing all the heavy lifting of gathering the logs and then setting up alarms very quickly to do just what people have been asking me.

Advertisements

May 31, 2011 - Posted by | Event Log, Log Management | , , , ,

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: