Eventlog monitoring based on description does'nt work

appleseed · Joined: 16 May 2007 Posts: 6

Hello,

I'd like to collect any changes to group policies within our Windows Server 2003 Domain. Therefor I set up an eventlog test in hostmonitor:

Test by: RMA Agent

Log Source:
Computer: \\Server01 (Domain Controller)
Log: Security
Event source: Security

Alert Condition:
Computer: Any
Event Type: Any
Event Id: Any from the following: 566
Description: Any String from the list: "groupPolicyContainer" (as unique part of eventlog description which points to a policy change event)

Without the description everything works fine. But then a lot of events will be monitored which doesn't have to do with group policy changes

I've tried using asterisks or apostrophes - no success, any changes of GPO won't be written.

We use Host Monitor Enterprise 6.80 running on Windows 2000 Pro.

Thanks in advance

Torsten

KS-Soft Europe · Joined: 16 May 2006 Posts: 2832

What message do you see in "Reply" field, when you try to perfom the test without description? Do you see correct event log message or something like "Message not found ..."?

Regards,
Max

appleseed · Joined: 16 May 2007 Posts: 6

Oh I see...

the phrase "grouPolicyContainer" won't be written in reply field. There are some bars instead:

Object Operation:||||Object Server:|DS||||Operation Type:|Object Access:|||||Object Type:|%{19195a5b-6da0-11d0-afd3...

Unfortunately there is nothing suitable in there wich refers to Group Policy exclusively

KS-Soft Europe · Joined: 16 May 2006 Posts: 2832

Hm. Bars mean CRLF characters, I suppose. What exact message do you see in "Event Viewer" applet for this particular Event Id?

Regards,
Max

appleseed · Joined: 16 May 2007 Posts: 6

The description for the eventlog entry looks like this:

Object Operation:
Object Server: DS
Operation Type: Object Access
Object Type: groupPolicyContainer
Object Name: CN={5EAA131E-C35F-40B7-912D-14BD2FA5583F},CN=Policies,CN=System,DC=test,DC=local
Handle ID: -
Primary User Name: SERVER01$
Primary Domain: TEST
Primary Logon ID: (0x0,0x3E7)
Client User Name: administrator
Client Domain: TEST
Client Logon ID: (0x0,0xBE37926)
Accesses: Write Property

Properties:
Write Property
Default property set
versionNumber
groupPolicyContainer

Additional Info:
Additional Info2:
Access Mask: 0x20

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

KS-Soft · Joined: 03 Apr 2002 Posts: 12795 Location: USA

Well, I will try to explain what is wrong (I need to explain this to myself as well

)
In fact event description contains message like

appleseed · Joined: 16 May 2007 Posts: 6

Hello,

sorry for late answer but it works fine now.

Thanks in advance

Torsten

gdvl · Joined: 04 Apr 2002 Posts: 103 Location: Belgium

Hi,

Is there a way to see event information in HM like event viewer does ?
Thus, with translated GUID's ?

Example: I'll monitor (via event 566) changes on specific groups.
Ok, I can use the GUID of that group to filter, but I will see in the event who made the changes etc ...

Regards,
Gert De Vleeschouwer

KS-Soft · Joined: 03 Apr 2002 Posts: 12795 Location: USA

There is no such option yet. We plan to implement it, probably in version 8.xx

Regards
Alex