View previous topic :: View next topic |
Author |
Message |
appleseed
Joined: 16 May 2007 Posts: 6
|
Posted: Mon May 21, 2007 3:44 am Post subject: Eventlog monitoring based on description does'nt work |
|
|
Hello,
I'd like to collect any changes to group policies within our Windows Server 2003 Domain. Therefor I set up an eventlog test in hostmonitor:
Test by: RMA Agent
Log Source:
Computer: \\Server01 (Domain Controller)
Log: Security
Event source: Security
Alert Condition:
Computer: Any
Event Type: Any
Event Id: Any from the following: 566
Description: Any String from the list: "groupPolicyContainer" (as unique part of eventlog description which points to a policy change event)
Without the description everything works fine. But then a lot of events will be monitored which doesn't have to do with group policy changes
I've tried using asterisks or apostrophes - no success, any changes of GPO won't be written.
We use Host Monitor Enterprise 6.80 running on Windows 2000 Pro.
Thanks in advance
Torsten |
|
Back to top |
|
|
KS-Soft Europe
Joined: 16 May 2006 Posts: 2832
|
Posted: Mon May 21, 2007 5:02 am Post subject: |
|
|
What message do you see in "Reply" field, when you try to perfom the test without description? Do you see correct event log message or something like "Message not found ..."?
Regards,
Max |
|
Back to top |
|
|
appleseed
Joined: 16 May 2007 Posts: 6
|
Posted: Mon May 21, 2007 6:33 am Post subject: |
|
|
Oh I see...
the phrase "grouPolicyContainer" won't be written in reply field. There are some bars instead:
Object Operation:||||Object Server:|DS||||Operation Type:|Object Access:|||||Object Type:|%{19195a5b-6da0-11d0-afd3...
Unfortunately there is nothing suitable in there wich refers to Group Policy exclusively |
|
Back to top |
|
|
KS-Soft Europe
Joined: 16 May 2006 Posts: 2832
|
Posted: Mon May 21, 2007 7:21 am Post subject: |
|
|
Hm. Bars mean CRLF characters, I suppose. What exact message do you see in "Event Viewer" applet for this particular Event Id?
Regards,
Max |
|
Back to top |
|
|
appleseed
Joined: 16 May 2007 Posts: 6
|
Posted: Tue May 22, 2007 12:49 am Post subject: |
|
|
The description for the eventlog entry looks like this:
Object Operation:
Object Server: DS
Operation Type: Object Access
Object Type: groupPolicyContainer
Object Name: CN={5EAA131E-C35F-40B7-912D-14BD2FA5583F},CN=Policies,CN=System,DC=test,DC=local
Handle ID: -
Primary User Name: SERVER01$
Primary Domain: TEST
Primary Logon ID: (0x0,0x3E7)
Client User Name: administrator
Client Domain: TEST
Client Logon ID: (0x0,0xBE37926)
Accesses: Write Property
Properties:
Write Property
Default property set
versionNumber
groupPolicyContainer
Additional Info:
Additional Info2:
Access Mask: 0x20
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. |
|
Back to top |
|
|
KS-Soft
Joined: 03 Apr 2002 Posts: 12795 Location: USA
|
Posted: Tue May 22, 2007 3:04 pm Post subject: |
|
|
Well, I will try to explain what is wrong (I need to explain this to myself as well )
In fact event description contains message like Quote: | ....
Properties:
Write Property
%{e48d0154-bcf8-11d1-8702-00c04fb96050}
%{f3a64788-5306-11d1-a9c5-0000f80367c1}
%{bf967a86-0de6-11d0-a285-00aa003049e2} |
While Event Viewer replaces GUIDs with textual information like Quote: | ...
Properties:
Write Property
Default property set
versionNumber
groupPolicyContainer |
So, you may setup NT Event Lot test filter using GUID, then filter should work. In other word, use "%{bf967a86-0de6-11d0-a285-00aa003049e2}" instead of "groupPolicyContainer"
To be sure what exactly data is stored as event description, you may create HTML report with test results or simply widen Reply field (make the field wide enough for entire message).
Regards
Alex |
|
Back to top |
|
|
appleseed
Joined: 16 May 2007 Posts: 6
|
Posted: Tue Jun 19, 2007 2:31 am Post subject: |
|
|
Hello,
sorry for late answer but it works fine now.
Thanks in advance
Torsten |
|
Back to top |
|
|
gdvl
Joined: 04 Apr 2002 Posts: 103 Location: Belgium
|
Posted: Tue Dec 09, 2008 7:08 am Post subject: |
|
|
Hi,
Is there a way to see event information in HM like event viewer does ?
Thus, with translated GUID's ?
Example: I'll monitor (via event 566) changes on specific groups.
Ok, I can use the GUID of that group to filter, but I will see in the event who made the changes etc ...
Regards,
Gert De Vleeschouwer |
|
Back to top |
|
|
KS-Soft
Joined: 03 Apr 2002 Posts: 12795 Location: USA
|
Posted: Wed Dec 10, 2008 6:20 pm Post subject: |
|
|
There is no such option yet. We plan to implement it, probably in version 8.xx
Regards
Alex |
|
Back to top |
|
|
|