Hello,
to monitor Windows events it is very difficult. My whitelist is growing.
{Template Windows 2008 R2:eventlog[Application].logseverity()}=4 and {Template Windows 2008 R2:eventlog[Application].regexp(.)}=1 and
{Template Windows 2008 R2:eventlog[Application].logeventid(7515|8026|8250|14147|3030|32092|13|321 01|32012|12014|12291|22|16|5586|5767|8365|4107|6|8 2|10022|257|1008|2159|12298|12293|3018|1023|22|330 02|12032|36882|24583|18210|3041|18456|24)}=0 and
{Template Windows 2008 R2:eventlog[Application].str(Expected more data in file)}=0 and
{Template Windows 2008 R2:eventlog[Application].str(Das STARTTLS-Zertifikat)}=0 and
{Template Windows 2008 R2:eventlog[Application].str(server_errno=2013)}=0 and
{Template Windows 2008 R2:eventlog[Application].str(Desc=Client initiates abort.)}=0
to filter only IDs is not enough. I began to filter messages.
Is it possible to compact the strings to an array like logeventid?
to monitor Windows events it is very difficult. My whitelist is growing.
{Template Windows 2008 R2:eventlog[Application].logseverity()}=4 and {Template Windows 2008 R2:eventlog[Application].regexp(.)}=1 and
{Template Windows 2008 R2:eventlog[Application].logeventid(7515|8026|8250|14147|3030|32092|13|321 01|32012|12014|12291|22|16|5586|5767|8365|4107|6|8 2|10022|257|1008|2159|12298|12293|3018|1023|22|330 02|12032|36882|24583|18210|3041|18456|24)}=0 and
{Template Windows 2008 R2:eventlog[Application].str(Expected more data in file)}=0 and
{Template Windows 2008 R2:eventlog[Application].str(Das STARTTLS-Zertifikat)}=0 and
{Template Windows 2008 R2:eventlog[Application].str(server_errno=2013)}=0 and
{Template Windows 2008 R2:eventlog[Application].str(Desc=Client initiates abort.)}=0
to filter only IDs is not enough. I began to filter messages.
Is it possible to compact the strings to an array like logeventid?