locked
audit log cleared rule Event ID 517 RRS feed

  • Question

  • I have a couple simple rules that ive created but for some reason this one is giving me trouble. In short....we want an alert generated for Event ID 517. I have it working if the log is cleared locally but if you remote manage a system and clear the log, it does not work. The Event ID is the same, and all the rule is looking for currently. See below 

    *THIS SENDS ALERT* log cleared from local computer

    Event Type: Success Audit
    Event Source: Security
    Event Category: System Event
    Event ID: 517
    Date:  12/20/2011
    Time:  3:05:20 PM
    User:  NT AUTHORITY\SYSTEM
    Computer: *LOCAL COMPUTER*
    Description:
    The audit log was cleared
      Primary User Name: SYSTEM
      Primary Domain: NT AUTHORITY
      Primary Logon ID: (0x0,0x3E7)
      Client User Name: *MY USER ID*
      Client Domain: *
      Client Logon ID: (0x0,0x111CF944)

     

    *THIS DOESNT ALERT* clearing the above computers log from a different systems managment 

    Event Type: Success Audit
    Event Source: Security
    Event Category: System Event
    Event ID: 517
    Date:  12/20/2011
    Time:  3:04:22 PM
    User:  NT AUTHORITY\SYSTEM
    Computer: *REMOTE COMPUTER*
    Description:
    The audit log was cleared
      Primary User Name: SYSTEM
      Primary Domain: NT AUTHORITY
      Primary Logon ID: (0x0,0x3E7)
      Client User Name: *MY USER ID*
      Client Domain: *

      Client Logon ID: (0x0,0x11E86F64)

    Am i missing something obvious? The rule is really really simple, matches the regular expression

    ^(517)$

    Not sure how to wildcard the logging computer line, maybe that would be a solution but I still dont get why any/all Event ID 517's dont trigger the rule/alert

    Thanks

     

     

     

     


    • Edited by Shetaug Tuesday, December 20, 2011 8:46 PM
    Tuesday, December 20, 2011 8:44 PM

Answers

  • Hi,

    by default all events that logged by remote computers (and virtual cluster nodes, etc etc.... everything thta has a name not equal to computer name) are filtered and alerts will not be rised on them. You need to add an xml tag to your rule to change this behaviour explicitly:

    ......

    <LogName>Application</LogName>
    <AllowProxying>true</AllowProxying>

    .......  


    http://OpsMgr.ru/
    Friday, December 30, 2011 7:45 PM

All replies

  • Why not narrow it down and use the eventid equals 517. and of course source and security event log specified and that its a succesfull for instance.


    Bob Cornelissen - BICTT (My BICTT Blog) - Microsoft Community Contributor 2011 Recipient
    Wednesday, December 21, 2011 7:21 AM
  • Why not narrow it down and use the eventid equals 517. and of course source and security event log specified and that its a succesfull for instance.


    Bob Cornelissen - BICTT (My BICTT Blog) - Microsoft Community Contributor 2011 Recipient

    I did that originally and to test if I had the same issue. I will want to add event IDs to the rule is why I am using a regular expression. Even using eveintid equals 517, the problem still occurs
    Wednesday, December 21, 2011 1:24 PM
  • WOuld first limit it to a specific event id number and create perhaps a separate rule for another event ID. At first. Can combine later. IN the meantime also download the SCOM 2007 R2 Admin resource Kit. It has the mp event analyzer you can use to create the event in a running log and see if it gets picked up. Just to be sure. http://blogs.technet.com/b/momteam/archive/2011/06/03/system-center-operations-manager-2007-r2-admin-reskit-released.aspx 

     


    Bob Cornelissen - BICTT (My Blog about SCOM) - Microsoft Community Contributor 2011 Recipient
    Friday, December 30, 2011 12:43 PM
  • Hi,

    by default all events that logged by remote computers (and virtual cluster nodes, etc etc.... everything thta has a name not equal to computer name) are filtered and alerts will not be rised on them. You need to add an xml tag to your rule to change this behaviour explicitly:

    ......

    <LogName>Application</LogName>
    <AllowProxying>true</AllowProxying>

    .......  


    http://OpsMgr.ru/
    Friday, December 30, 2011 7:45 PM