Eventlog monitoring based on description does'nt work

appleseed · Post by **appleseed** » Mon May 21, 2007 3:44 am

Hello,

I'd like to collect any changes to group policies within our Windows Server 2003 Domain. Therefor I set up an eventlog test in hostmonitor:

Test by: RMA Agent

Log Source:
Computer: \\Server01 (Domain Controller)
Log: Security
Event source: Security

Alert Condition:
Computer: Any
Event Type: Any
Event Id: Any from the following: 566
Description: Any String from the list: "groupPolicyContainer" (as unique part of eventlog description which points to a policy change event)

Without the description everything works fine. But then a lot of events will be monitored which doesn't have to do with group policy changes

I've tried using asterisks or apostrophes - no success, any changes of GPO won't be written.

We use Host Monitor Enterprise 6.80 running on Windows 2000 Pro.

Thanks in advance

Torsten

KS-Soft Europe · Post by **KS-Soft Europe** » Mon May 21, 2007 5:02 am

What message do you see in "Reply" field, when you try to perfom the test without description? Do you see correct event log message or something like "Message not found ..."?

Regards,
Max

appleseed · Post by **appleseed** » Mon May 21, 2007 6:33 am

Oh I see...

the phrase "grouPolicyContainer" won't be written in reply field. There are some bars instead:

Object Operation:||||Object Server:|DS||||Operation Type:|Object Access:|||||Object Type:|%{19195a5b-6da0-11d0-afd3...

Unfortunately there is nothing suitable in there wich refers to Group Policy exclusively

KS-Soft Europe · Post by **KS-Soft Europe** » Mon May 21, 2007 7:21 am

Hm. Bars mean CRLF characters, I suppose. What exact message do you see in "Event Viewer" applet for this particular Event Id?

Regards,
Max

appleseed · Post by **appleseed** » Tue May 22, 2007 12:49 am

The description for the eventlog entry looks like this:

Object Operation:
Object Server: DS
Operation Type: Object Access
Object Type: groupPolicyContainer
Object Name: CN={5EAA131E-C35F-40B7-912D-14BD2FA5583F},CN=Policies,CN=System,DC=test,DC=local
Handle ID: -
Primary User Name: SERVER01$
Primary Domain: TEST
Primary Logon ID: (0x0,0x3E7)
Client User Name: administrator
Client Domain: TEST
Client Logon ID: (0x0,0xBE37926)
Accesses: Write Property

Properties:
Write Property
Default property set
versionNumber
groupPolicyContainer

Additional Info:
Additional Info2:
Access Mask: 0x20

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

KS-Soft · Post by **KS-Soft** » Tue May 22, 2007 3:04 pm

Well, I will try to explain what is wrong (I need to explain this to myself as well

)
In fact event description contains message like

....
Properties:
Write Property
%{e48d0154-bcf8-11d1-8702-00c04fb96050}
%{f3a64788-5306-11d1-a9c5-0000f80367c1}
%{bf967a86-0de6-11d0-a285-00aa003049e2}

While Event Viewer replaces GUIDs with textual information like

...
Properties:
Write Property
Default property set
versionNumber
groupPolicyContainer

So, you may setup NT Event Lot test filter using GUID, then filter should work. In other word, use "%{bf967a86-0de6-11d0-a285-00aa003049e2}" instead of "groupPolicyContainer"
To be sure what exactly data is stored as event description, you may create HTML report with test results or simply widen Reply field (make the field wide enough for entire message).

Regards
Alex

appleseed · Post by **appleseed** » Tue Jun 19, 2007 2:31 am

Hello,

sorry for late answer but it works fine now.

Thanks in advance

Torsten

gdvl · Post by **gdvl** » Tue Dec 09, 2008 7:08 am

Hi,

Is there a way to see event information in HM like event viewer does ?
Thus, with translated GUID's ?

Example: I'll monitor (via event 566) changes on specific groups.
Ok, I can use the GUID of that group to filter, but I will see in the event who made the changes etc ...

Regards,
Gert De Vleeschouwer

KS-Soft · Post by **KS-Soft** » Wed Dec 10, 2008 6:20 pm

There is no such option yet. We plan to implement it, probably in version 8.xx

Regards
Alex