Hostmon 5.92 , rma 3.30c
Hostmon running on windows 2003, RMA running on Windows 2003 server.
I'm attempting to audit security events.
Issue 1:
When looking for event id 632 (Security Group Adds) the following things happen:
If I select the option "Report about last bad" . It will find the last addition and report it. ok.
If I select the option "Report about all bad" It never finds a matching event.
I have the filter set as:
Computer: Any
Event Type: Any
Event Id: Any from the following (632 is the only entry for now)
Discription: Any text
To test I am adding a different user to the security group I created. Event logs are being generated for each user I add to the windows 2003 event log on the server that hostmonitor is looking at.
Issue #2:
What is the proper way to setup event log auditing anyway?
Can I setup multiple tests looking at different Event ID's? (Security Group Adds, Account Lockouts, Failed login attempts etc) Each is a different test with a seperate alert. Does hostmonitor keep track of where in the event log EACH test is at? Meaning will test #1 reset the starting point for event log test #2 if I want "report about ALL bad tests" Otherwise if someone adds 10 users to a domain security group I'm only logging the last add which is wrong! Also IF I am setting up lots of event log tests should I launch them single instance?
Many Thanks
Bob
event log auditing issues
"last bad" and "all bad" means "last NEW record" and "all NEW bad" accordingly.If I select the option "Report about last bad" . It will find the last addition and report it. ok.
If I select the option "Report about all bad" It never finds a matching event.
HostMonitor changes test status to "Bad" only when it has found NEW event(s) that satisfies all specified requirements. If, after the next probe, the monitor does not find a new "Bad" event, it changes the test status to "Ok".
Yes, you canCan I setup multiple tests looking at different Event ID's? (Security Group Adds, Account Lockouts, Failed login attempts etc) Each is a different test with a seperate alert.
CorrectDoes hostmonitor keep track of where in the event log EACH test is at?
NoMeaning will test #1 reset the starting point for event log test #2
Sorry, do not understand this questionAlso IF I am setting up lots of event log tests should I launch them single instance?
Regards
Alex
Ok
So when I said that "Report about all bad" is reporting nothing I meant that I SHOULD be seeing all the BAD's. I see none. It ONLY works if I set it to report about the last bad.
Yes I am adding members to the group in order to "TEST" this event log test after each test refresh.
Once it says "BAD" (It found one!! yah!) I add more members to the test security group and when I re-run the test in "report about ALL bad tests" mode it never sees the additions. EVEN if I let the test go back to "OK" hostmonitor never sees/reports multiple bad's.
IF I change it back to "report last bad" it still wont see any of the additions until I add more members to the security group and create another event log entry. Refreshing the test at this point hits on the last member added to the group.
I think I have the tests setup correctly.
As far as the starting the tests one at a time or multi-threaded. Is there a limit on how many per event log I want to run? Full auditing is turned on with about ~20 entries per second to the event logs currently.
Bob
So when I said that "Report about all bad" is reporting nothing I meant that I SHOULD be seeing all the BAD's. I see none. It ONLY works if I set it to report about the last bad.
Yes I am adding members to the group in order to "TEST" this event log test after each test refresh.
Once it says "BAD" (It found one!! yah!) I add more members to the test security group and when I re-run the test in "report about ALL bad tests" mode it never sees the additions. EVEN if I let the test go back to "OK" hostmonitor never sees/reports multiple bad's.
IF I change it back to "report last bad" it still wont see any of the additions until I add more members to the security group and create another event log entry. Refreshing the test at this point hits on the last member added to the group.
I think I have the tests setup correctly.
As far as the starting the tests one at a time or multi-threaded. Is there a limit on how many per event log I want to run? Full auditing is turned on with about ~20 entries per second to the event logs currently.
Bob
We cannot reproduce such problem. Could you export test settings into text file and send it to us?Yes I am adding members to the group in order to "TEST" this event log test after each test refresh.
Once it says "BAD" (It found one!! yah!) I add more members to the test security group and when I re-run the test in "report about ALL bad tests" mode it never sees the additions. EVEN if I let the test go back to "OK" hostmonitor never sees/reports multiple bad's.
Thats correct behavourIF I change it back to "report last bad" it still wont see any of the additions until I add more members to the security group and create another event log entry. Refreshing the test at this point hits on the last member added to the group.
There are no special limitsIs there a limit on how many per event log I want to run?
Regards
Alex