Windows Forwarded Event Source

Started by abkulakli, October 31, 2019, 11:24:58 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

abkulakli

October 31, 2019, 11:24:58 AM Last Edit: October 31, 2019, 12:04:35 PM by abkulakli
I have a windows event collector server and I want to get the forwarded events from that server. The difference is that there is a column named computer which holds the originator pc of that event. However in event viewer I cannot see that info as source. I see the windows event collector server as source (as expected).

Is there a way to set that computer field (I can get the value using %<number>) as source. Or I have to create duplicate events for forwarded events and put computer info in event string.

Tursiops

#1
October 31, 2019, 11:19:03 PM Last Edit: November 05, 2019, 12:20:57 PM by Tursiops
I don't think you can change an event source after that event is received.
As you indicated, you can create a new event and set the correct source for that new event though.
To avoid your database doubling in size, you could run a regular cronjob/scheduled task to clean out the duplicates.

Or you could use a cronjob/scheduled task to adjust the source directly inside the database at regular intervals. That wouldn't be live though.
Or setup a trigger in the database to automatically perform that task in certain cases. Not sure about the performance impact on such a step though.

Edit: Or simply use the inbuilt and smart way of doing it, which Victor mentioned below.  :-[

Victor Kirhenshtein

#2
November 04, 2019, 11:20:14 AM
Another option to avoid storing double events is to remove "write to event log" option from original event.

Best regards,
Victor
Print
Go Up Pages1
User actions