Log monitoring <match> options

Started by NillaMilla, March 28, 2017, 03:38:48 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

NillaMilla

March 28, 2017, 03:38:48 PM
Hello,

I am using a windows security log parser file on my netxms agents. I am trying to trigger an event when the word "administrator" is found in the security log 3 times within 2 minutes, with the counts and interval resetting when reaching a count of 3.  The below parsing file does not seem to work, it triggers an event for every new instance of the word "administrator" in the security log.  I am using version 2.0.8

<parser>
  <!-- This parser file is designed to parse the windows security log -->
  <file>*Security</file>
  <rules>
    <!-- New Rule - Rule is for catching the use of administrator local account -->
    <rule>
      <level>16</level>
      <match repeatCount="3" repeatInterval="120">(.*)administrator(.*)</match>
      <event params="2">100115</event>
    </rule>
    <!-- End Rule                                                          -->
  </rules>
</parser>\

Any advice would be greatly appreciated!

-Dan

NillaMilla

#1
March 29, 2017, 03:30:31 PM
Disregard this post. I have realized that these match functions aren't available I the version I'm using (v2.0.8).

-Dan
Print
Go Up Pages1
User actions