Windows Event Log

The Windows Event Log monitor uses WMI authentication to listen for Windows events on the devices to which it is assigned. To use multiple Windows Event Log monitors, assign a unique monitor to each device. When assigning a Windows Event Log monitor, ensure the device has credentials assigned to it first.

Provide a unique name and description for the monitor, then configure the following:

• Condition. Enter a list of conditions to match. Only log entries matching these expressions are converted to events. Conditions are processed sequentially from top to bottom. As each condition is evaluated, its results are applied to the next condition until all conditions are evaluated. For complex sets of conditions involving both ANDs and ORs, this serial logic may produce different results than intended. As a best practice, we recommend keeping conditions simple by opting for multiple Passive Monitors over complex sets of conditions. When complex conditions are unavoidable, we recommend grouping all OR conditions together at the beginning of the set of conditions, followed by the ANDs. Click Edit to add or edit a condition or Clear to remove a condition from the box.
• Match On. Click Add to launch the Rules Expression Editor to create an expression, test it, and compare it to potential payloads.

Important: If you have multiple payload "match on" expressions, they are linked by "OR" logic—not "AND" logic. If you have two expressions, one set to "AB" and the other to "BA", it matches against a trap containing any of the following: "AB" or "BA" or "ABBA".

See Also Passive Monitors Syslog SNMP Trap