I try to filter a String in the Event Message. The Filter includes 2 tab-stops (EventID: 4624, String in the Event Message: Logon Type: 3).
I enter the string step by step.
After entering %Logon% - I have results, but not the rights.
After entering %Logon Type:% I have results, but not the rights.
After entering %Logon Type: 3% - I have no results.
Is it possible to use placeholders or wildcards for the 2 tab-stops in the string?
Thanks in advance!!
Article Comments
Hello,
The sensor checks if the string configured as "filter" is part of the event-log-message for the event logs within the last scanning interval. You can use percent sign % as wildcard if you want to check if the string is part of the message. Otherwise, the whole event message must match the string. Maybe this article might help as well.
If you want us to take a closer look, feel free to send us screenshots of your settings and the corresponding windows event log to support@paessler.com
May, 2021 - Permalink
Hello,
The sensor checks if the string configured as "filter" is part of the event-log-message for the event logs within the last scanning interval. You can use percent sign % as wildcard if you want to check if the string is part of the message. Otherwise, the whole event message must match the string. Maybe this article might help as well.
If you want us to take a closer look, feel free to send us screenshots of your settings and the corresponding windows event log to support@paessler.com
May, 2021 - Permalink