Monitors
Passive MonitorsWindows Event Log
MonitorsPassive MonitorsWindows Event Log
The Windows Event Log monitor uses WMI authentication to listen for Windows events on the devices to which it is assigned. To use multiple Windows Event Log monitors, assign a unique monitor to each device. When assigning a Windows Event Log monitor, ensure the device has credentials assigned to it first.
Provide a unique name and description for the monitor, then configure the following:
) to launch the WinEvent Condition dialog to create a condition to match, then repeat to complete a list of conditions, if needed. Only log entries matching these expressions are converted to events. Conditions are processed sequentially from top to bottom. As each condition is evaluated, its results are applied to the next condition until all conditions are evaluated. For complex sets of conditions involving both ANDs and ORs, this serial logic may produce different results than intended. As a best practice, we recommend keeping conditions simple by opting for multiple Passive Monitors over complex sets of conditions. When complex conditions are unavoidable, we recommend grouping all OR conditions together at the beginning of the set of conditions, followed by the ANDs. Click (
) to add or edit a condition or (
) to remove a condition from the box.) to launch the Rules Expression Editor to create an expression, test it, and compare it to potential payloads. Click () to add or edit an expression or () to remove an expression from the box.Important: If you have multiple payload "match on" expressions, they are linked by "OR" logic—not "AND" logic. If you have two expressions, one set to "AB" and the other to "BA", it matches against a trap containing any of the following: "AB" or "BA" or "ABBA".