Text only | Text with Images

NetXMS Support Forum

English Support => General Support => Topic started by: NillaMilla on March 28, 2017, 03:38:48 PM

Title: Log monitoring <match> options
Post by: NillaMilla on March 28, 2017, 03:38:48 PM
Hello,

I am using a windows security log parser file on my netxms agents. I am trying to trigger an event when the word "administrator" is found in the security log 3 times within 2 minutes, with the counts and interval resetting when reaching a count of 3.  The below parsing file does not seem to work, it triggers an event for every new instance of the word "administrator" in the security log.  I am using version 2.0.8

<parser>
  <!-- This parser file is designed to parse the windows security log -->
  <file>*Security</file>
  <rules>
    <!-- New Rule - Rule is for catching the use of administrator local account -->
    <rule>
      <level>16</level>
      <match repeatCount="3" repeatInterval="120">(.*)administrator(.*)</match>
      <event params="2">100115</event>
    </rule>
    <!-- End Rule                                                          -->
  </rules>
</parser>\

Any advice would be greatly appreciated!

-Dan
Title: Re: Log monitoring <match> options
Post by: NillaMilla on March 29, 2017, 03:30:31 PM
Disregard this post. I have realized that these match functions aren't available I the version I'm using (v2.0.8).

-Dan
Text only | Text with Images