(imported topic written by itowns91)
I would like to monitor an application Event ID 20885. If Bigfix finds this event, I would like it to stop and start a particular service. My problem is that BigFix will see this event whether it happened 2 min ago or 2 weeks ago and will restart the service. Do I have to clear the log each time it encounters this event? If I do, how do I do that? If not, how do I tell BigFix to see only the new events? Any help is appreciated. Thanks.
(imported comment written by jessewk)
I would recommend you start by running a one time action to seed a registry key with “now”. Then have a policy action that becomes relevant when the event is detected and the event time stamp is greater than the time stamp in the registry. The policy action would restart the service and then set the registry key to the time of the detected event. If a new event occurs the action will run again and update the key with the latest time.
Jesse
(imported comment written by itowns91)
That sounds like the perfect solution…
Could you help me figure out how to do that? I have no idea. I’m running v. 7.
(imported comment written by itowns91)
I’m also having trouble figuring out how to find the true event id… The actual error is in an archive of an event log, so I can’t use QNA to display the true number and apparently 20885 is not the real number so it will evaluate to false whether its there or not…
exists records whose (event id of it = 20885) of application event log
(imported comment written by jessewk)
To get the newest event and its time stamp try the relevance in this post: http://forum.bigfix.com/viewtopic.php?id=1723
See these 2 posts for help getting the appropriate event ID:
http://forum.bigfix.com/viewtopic.php?id=672
http://forum.bigfix.com/viewtopic.php?id=1120
Hopefully that should be enough to get you the necessary relevance. For the action script, try searching through the console for content that starts/stops/restarts services. There should be plenty of examples.
If you can’t get everything to work all together, post the relevance and action script you’ve got so far.
(imported comment written by itowns91)
Thanks. I still do not understand how to get the event ID even after reading those two posts. Is there a formula? As I said before, I haven’t been able to use QNA to do that because the error is no longer in the application log. I have an exported log that I am using and don’t know how to get QNA to evaluate it. I understand that you use “mod” and then some number but how do you get to that number?
(imported comment written by jessewk)
To get this working I think you’ll need to find an example to work with where the error is available in the event log.
When you have an example, you’ll need to mod the event ID by 2^15 or 2^30 most likely, but you’ll have to experiment to see what ends up matching the IDs in your event viewer.
(imported comment written by SystemAdmin)
Semi related - used this post along with other related posts to cobble together a property to find the last application log event id 8009 (NT Backup) to determine when the last System state backup was run on a W2K/W2K3 system. This gets the job done:
if (exist (name whose (it = “Win2000” or it = “Win2003”) of Operating System) and (exist (records whose (event id of it = 8009) of it) of application event log)) then (time generated of it, description of it) of items 1 of it whose (time generated of item 1 of it = item 0 of it) of (maximum of times generated of records whose (event id of it = 8009) of it, records whose (event id of it = 8009) of it) of application event log as string else “N/A”
(imported comment written by sheikh.shadab91)
Hi All,
I wanted to generate an alert based upon a condition:
Within a span of 24 hours, “Failure Audit” security records for a particular user id is getting generated at least 5 times.
This will give me an indication that some one intentionally or unintentionally tried to login with that user name which finally resulted in user account lock out (as per our account lockout policy)
I wrote a relevance
if (exist (name whose (it=“WinXP” or it =“Win2003”) of Operating System) and (exist (records whose (event id of it = 675)of application event log) and ((now-(time generated of records whose (event id of it =675)of application event log)) < 1*day) and (record number of records whose (event id of it =675)of application event log >=5))) then ((time generated of it, description of it) of application event log as string) else “N/A”
But relevance
record number of records whose (event id of it =675)of application event log >=5
doesn’t look like working.
Also How do I make this relevance true only in cases where event id “675” is repeatedly generated for 5 times corresponding to a particular user id?
(imported comment written by BenKus)
Hi Sheikh,
That is actually a pretty difficult problem… the issue is that it is tough to check any given 24-hour period for each user… it might be easier if we say that if 5 lockouts occurred in the same day, it would be easier…
Ben