Event ID relevance issue

(imported topic written by SystemAdmin)

Hi All,

I took a look at the previous thread to create a relevance to get specific event ID’s

http://forum.bigfix.com/viewtopic.php?id=672

(event id of it mod 2147483648 mod 1073741824 , source of it, time generated of it) of records whose (now - time generated of it < 4*day) of system event log

One problem that I ran across is the following:

In the event viewer, these two events show up as follows:

Source: b57w2k, Event ID: 15 (Time 3:43:38 AM)

Source: b57w2k, Event ID: 9 (Time 3:43:40 AM)

Source: W32Time, Event ID: 35 (Time 3:44:22 AM)

When I run the relevance, they show up as follows:

327695, b57w2k, ( Sun, 08 Jul 2007 03:43:38 -0400 )

327689, b57w2k, ( Sun, 08 Jul 2007 03:43:40 -0400 )

39452707, W32Time, ( Sun, 08 Jul 2007 03:44:22 -0400 )

Is there another “mod” calculation that would cover this?

Thanks

Rob

(imported comment written by BenKus)

Hey Rob,

I don’t know… just looking at your data, I see that you can mod 32768 (which is 2^15) but I don’t know if this will work in each case…

So try:

(event id of it mod 2147483648 mod 1073741824 mod 32768, source of it, time generated of it) of records whose (now - time generated of it < 4*day) of system event log

(imported comment written by SystemAdmin)

This seems to work.

Thanks

Ben