After created the Event log Agent and assigned the desired server to monitor, please define the following filters on the Event Log Agent Properties:
1. Event Logs to Monitor: Security
2. Event Log Filters:
Include/Exclude Type User
Source Category EventID Event Description Tags Event
Throttle Count Event Throttle Duration (seconds)
Include
* * * * 4624
* 0 0
Exclude
* SYSTEM * * 0
* 0 0
3. Event Log Severity
Event Log Severity Foglight Severity
Success Audit Critical
4. Make sure you increase this variable to INF_LogMonitoredRecordTextMaxLength: 2000
This solution explains how to apply that change:
LogFilter alarm truncates the alarm message if the matching string is too long. How to increase the output? SOL312050
4). Out of the box Multi severity rule: Record Severity, does not evaluate every time a user login, so in order to accomplish this, it is needed to create a Simple rule with the same Record Severity logic. Use Multiseverity Critical of out of the box rule logic (Record Severity) to create the new simple rule.
Attached there is one rule example.
In order to import a rule you can use this solution: How to export custom Rules, Dashboards, Modules or Report Templates, Scripts and others SOL267561
© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center