|
|
|
@ -1,12 +1,12 @@
|
|
|
|
[ActiveDirectory: Create Computer Lookup]
|
|
|
|
[ActiveDirectory: Create Computer Lookup]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
search = eventtype=msad_index_windows `admon-computer-lookup-update`
|
|
|
|
search = eventtype=msad_index_windows `admon-computer-lookup-update`
|
|
|
|
run_on_startup = true
|
|
|
|
run_on_startup = true
|
|
|
|
dispatch.earliest_time = 0
|
|
|
|
dispatch.earliest_time = 0
|
|
|
|
dispatch.latest_time = now
|
|
|
|
dispatch.latest_time = now
|
|
|
|
|
|
|
|
|
|
|
|
[ActiveDirectory: Update Computer Lookup]
|
|
|
|
[ActiveDirectory: Update Computer Lookup]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
search = eventtype=msad_index_windows `admon-computer-lookup-update`
|
|
|
|
search = eventtype=msad_index_windows `admon-computer-lookup-update`
|
|
|
|
enableSched = 1
|
|
|
|
enableSched = 1
|
|
|
|
cron_schedule = */15 * * * *
|
|
|
|
cron_schedule = */15 * * * *
|
|
|
|
@ -15,14 +15,14 @@ dispatch.earliest_time = -30m
|
|
|
|
dispatch.latest_time = now
|
|
|
|
dispatch.latest_time = now
|
|
|
|
|
|
|
|
|
|
|
|
[ActiveDirectory: Create GPO Lookup]
|
|
|
|
[ActiveDirectory: Create GPO Lookup]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
search = eventtype=msad_index_windows `admon-gpo-lookup-update`
|
|
|
|
search = eventtype=msad_index_windows `admon-gpo-lookup-update`
|
|
|
|
run_on_startup = true
|
|
|
|
run_on_startup = true
|
|
|
|
dispatch.earliest_time = 0
|
|
|
|
dispatch.earliest_time = 0
|
|
|
|
dispatch.latest_time = now
|
|
|
|
dispatch.latest_time = now
|
|
|
|
|
|
|
|
|
|
|
|
[ActiveDirectory: Update GPO Lookup]
|
|
|
|
[ActiveDirectory: Update GPO Lookup]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
search = eventtype=msad_index_windows `admon-gpo-lookup-update`
|
|
|
|
search = eventtype=msad_index_windows `admon-gpo-lookup-update`
|
|
|
|
enableSched = 1
|
|
|
|
enableSched = 1
|
|
|
|
cron_schedule = */15 * * * *
|
|
|
|
cron_schedule = */15 * * * *
|
|
|
|
@ -31,14 +31,14 @@ dispatch.earliest_time = -30m
|
|
|
|
dispatch.latest_time = now
|
|
|
|
dispatch.latest_time = now
|
|
|
|
|
|
|
|
|
|
|
|
[ActiveDirectory: Create Group Lookup]
|
|
|
|
[ActiveDirectory: Create Group Lookup]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
search = eventtype=msad_index_windows `admon-group-lookup-update`
|
|
|
|
search = eventtype=msad_index_windows `admon-group-lookup-update`
|
|
|
|
run_on_startup = true
|
|
|
|
run_on_startup = true
|
|
|
|
dispatch.earliest_time = 0
|
|
|
|
dispatch.earliest_time = 0
|
|
|
|
dispatch.latest_time = now
|
|
|
|
dispatch.latest_time = now
|
|
|
|
|
|
|
|
|
|
|
|
[ActiveDirectory: Update Group Lookup]
|
|
|
|
[ActiveDirectory: Update Group Lookup]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
search = eventtype=msad_index_windows `admon-group-lookup-update`
|
|
|
|
search = eventtype=msad_index_windows `admon-group-lookup-update`
|
|
|
|
enableSched = 1
|
|
|
|
enableSched = 1
|
|
|
|
cron_schedule = */15 * * * *
|
|
|
|
cron_schedule = */15 * * * *
|
|
|
|
@ -47,14 +47,14 @@ dispatch.earliest_time = -30m
|
|
|
|
dispatch.latest_time = now
|
|
|
|
dispatch.latest_time = now
|
|
|
|
|
|
|
|
|
|
|
|
[ActiveDirectory: Create User Lookup]
|
|
|
|
[ActiveDirectory: Create User Lookup]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
search = eventtype=msad_index_windows `admon-user-lookup-update`
|
|
|
|
search = eventtype=msad_index_windows `admon-user-lookup-update`
|
|
|
|
run_on_startup = true
|
|
|
|
run_on_startup = true
|
|
|
|
dispatch.earliest_time = 0
|
|
|
|
dispatch.earliest_time = 0
|
|
|
|
dispatch.latest_time = now
|
|
|
|
dispatch.latest_time = now
|
|
|
|
|
|
|
|
|
|
|
|
[ActiveDirectory: Update User Lookup]
|
|
|
|
[ActiveDirectory: Update User Lookup]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
search = eventtype=msad_index_windows `admon-user-lookup-update`
|
|
|
|
search = eventtype=msad_index_windows `admon-user-lookup-update`
|
|
|
|
enableSched = 1
|
|
|
|
enableSched = 1
|
|
|
|
cron_schedule = */15 * * * *
|
|
|
|
cron_schedule = */15 * * * *
|
|
|
|
@ -63,53 +63,53 @@ dispatch.earliest_time = -30m
|
|
|
|
dispatch.latest_time = now
|
|
|
|
dispatch.latest_time = now
|
|
|
|
|
|
|
|
|
|
|
|
[DNS: Failing Domains]
|
|
|
|
[DNS: Failing Domains]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
search = eventtype=msad_index_windows eventtype=msad-dns-debuglog direction="Snd" response!="NOERROR"|top questiontype,questionname,response|`fix-dnsname(questionname)`
|
|
|
|
search = eventtype=msad_index_windows eventtype=msad-dns-debuglog direction="Snd" response!="NOERROR"|top questiontype,questionname,response|`fix-dnsname(questionname)`
|
|
|
|
enableSched = 0
|
|
|
|
enableSched = 0
|
|
|
|
|
|
|
|
|
|
|
|
[DNS: Top Failing Domains]
|
|
|
|
[DNS: Top Failing Domains]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
search = eventtype=msad_index_windows eventtype=msad-dns-debuglog direction="Rcv" response!="NOERROR"|top questiontype,questionname|`fix-dnsname(questionname)`
|
|
|
|
search = eventtype=msad_index_windows eventtype=msad-dns-debuglog direction="Rcv" response!="NOERROR"|top questiontype,questionname|`fix-dnsname(questionname)`
|
|
|
|
enableSched = 0
|
|
|
|
enableSched = 0
|
|
|
|
|
|
|
|
|
|
|
|
[build_winfra_lookup]
|
|
|
|
[build_winfra_lookup]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
search = | runsavedsearcheswinfra
|
|
|
|
search = | runsavedsearcheswinfra
|
|
|
|
enableSched = 0
|
|
|
|
enableSched = 0
|
|
|
|
alert.track = 0
|
|
|
|
alert.track = 0
|
|
|
|
description = It will fill the necessary lookups that are used in populating the Content pack for windows dashboards and reports
|
|
|
|
description = It will fill the necessary lookups that are used in populating the Content pack for windows dashboards and reports
|
|
|
|
|
|
|
|
|
|
|
|
[DNS: Top Hosts sending failing queries]
|
|
|
|
[DNS: Top Hosts sending failing queries]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
search = eventtype=msad_index_windows eventtype=msad-dns-debuglog direction="Rcv" response!="NOERROR"|top src_ip
|
|
|
|
search = eventtype=msad_index_windows eventtype=msad-dns-debuglog direction="Rcv" response!="NOERROR"|top src_ip
|
|
|
|
enableSched = 0
|
|
|
|
enableSched = 0
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[DNS: Top Non-Authoritative Responses]
|
|
|
|
[DNS: Top Non-Authoritative Responses]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
search = eventtype=msad_index_windows eventtype=msad-dns-debuglog direction="Snd" response!="NOERROR" flags!="A*"|top questiontype,questionname|`fix-dnsname(questionname)`
|
|
|
|
search = eventtype=msad_index_windows eventtype=msad-dns-debuglog direction="Snd" response!="NOERROR" flags!="A*"|top questiontype,questionname|`fix-dnsname(questionname)`
|
|
|
|
enableSched = 0
|
|
|
|
enableSched = 0
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[DNS: Top Querying Hosts]
|
|
|
|
[DNS: Top Querying Hosts]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
search = eventtype=msad_index_windows eventtype=msad-dns-debuglog direction="Rcv"|top src_ip
|
|
|
|
search = eventtype=msad_index_windows eventtype=msad-dns-debuglog direction="Rcv"|top src_ip
|
|
|
|
enableSched = 0
|
|
|
|
enableSched = 0
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[DNS: Top Recursive Failure Domains]
|
|
|
|
[DNS: Top Recursive Failure Domains]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
search = eventtype=msad_index_windows eventtype=msad-dns-debuglog direction="Rcv" flags="*DR" response!="NOERROR"|top questiontype,questionname|`fix-dnsname(questionname)`
|
|
|
|
search = eventtype=msad_index_windows eventtype=msad-dns-debuglog direction="Rcv" flags="*DR" response!="NOERROR"|top questiontype,questionname|`fix-dnsname(questionname)`
|
|
|
|
enableSched = 0
|
|
|
|
enableSched = 0
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[DNS: Top Requested Queries]
|
|
|
|
[DNS: Top Requested Queries]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
search = eventtype=msad_index_windows eventtype=msad-dns-debuglog direction="Rcv"|top questiontype,questionname|`fix-dnsname(questionname)`
|
|
|
|
search = eventtype=msad_index_windows eventtype=msad-dns-debuglog direction="Rcv"|top questiontype,questionname|`fix-dnsname(questionname)`
|
|
|
|
enableSched = 0
|
|
|
|
enableSched = 0
|
|
|
|
|
|
|
|
|
|
|
|
[DomainSelector_Lookup]
|
|
|
|
[DomainSelector_Lookup]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
search = eventtype=msad_index_windows `domain-selector-search` \
|
|
|
|
search = eventtype=msad_index_windows `domain-selector-search` \
|
|
|
|
| eval _key = host \
|
|
|
|
| eval _key = host \
|
|
|
|
| outputlookup DomainSelector append=true
|
|
|
|
| outputlookup DomainSelector append=true
|
|
|
|
@ -120,7 +120,7 @@ dispatch.earliest_time = -1h
|
|
|
|
dispatch.latest_time = now
|
|
|
|
dispatch.latest_time = now
|
|
|
|
|
|
|
|
|
|
|
|
[HostToDomain_Lookup_Update]
|
|
|
|
[HostToDomain_Lookup_Update]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
search = eventtype=msad_index_windows `domain-list` \
|
|
|
|
search = eventtype=msad_index_windows `domain-list` \
|
|
|
|
| sort host \
|
|
|
|
| sort host \
|
|
|
|
| eval _key = host \
|
|
|
|
| eval _key = host \
|
|
|
|
@ -132,7 +132,7 @@ dispatch.earliest_time = -24h@h
|
|
|
|
dispatch.latest_time = now
|
|
|
|
dispatch.latest_time = now
|
|
|
|
|
|
|
|
|
|
|
|
[tHostInfo_Lookup_Update]
|
|
|
|
[tHostInfo_Lookup_Update]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
search = eventtype=wineventlog_index_windows `thostinfo`|inputlookup append=T tHostInfo|where _time > relative_time(now(), "-30d@d")|sort 0 src_ip,src_hostdomain,_time|dedup consecutive=T src_ip,src_hostdomain|sort 0 -_time|outputlookup tHostInfo
|
|
|
|
search = eventtype=wineventlog_index_windows `thostinfo`|inputlookup append=T tHostInfo|where _time > relative_time(now(), "-30d@d")|sort 0 src_ip,src_hostdomain,_time|dedup consecutive=T src_ip,src_hostdomain|sort 0 -_time|outputlookup tHostInfo
|
|
|
|
enableSched = 1
|
|
|
|
enableSched = 1
|
|
|
|
cron_schedule = */5 * * * *
|
|
|
|
cron_schedule = */5 * * * *
|
|
|
|
@ -145,7 +145,7 @@ dispatch.latest_time = now
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[SiteInfo_Lookup_Update]
|
|
|
|
[SiteInfo_Lookup_Update]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
search = eventtype=msad_index_windows eventtype=msad-dc-health \
|
|
|
|
search = eventtype=msad_index_windows eventtype=msad-dc-health \
|
|
|
|
| table host,Site \
|
|
|
|
| table host,Site \
|
|
|
|
| dedup host, Site \
|
|
|
|
| dedup host, Site \
|
|
|
|
@ -166,7 +166,7 @@ dispatch.latest_time = now
|
|
|
|
##########################################
|
|
|
|
##########################################
|
|
|
|
|
|
|
|
|
|
|
|
[WinApp_Lookup_Event - Event Details]
|
|
|
|
[WinApp_Lookup_Event - Event Details]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
action.email.inline = 1
|
|
|
|
action.email.inline = 1
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
alert.digest_mode = True
|
|
|
|
alert.digest_mode = True
|
|
|
|
@ -182,7 +182,7 @@ search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" \
|
|
|
|
| sort LogName, EventCode, SourceName, TaskCategory, Type, EventCodeDescription
|
|
|
|
| sort LogName, EventCode, SourceName, TaskCategory, Type, EventCodeDescription
|
|
|
|
|
|
|
|
|
|
|
|
[WinApp_Lookup_Event - Host]
|
|
|
|
[WinApp_Lookup_Event - Host]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
alert.track = 0
|
|
|
|
alert.track = 0
|
|
|
|
dispatch.earliest_time = 0
|
|
|
|
dispatch.earliest_time = 0
|
|
|
|
@ -196,7 +196,7 @@ search = | inputlookup windows_event_system\
|
|
|
|
|
|
|
|
|
|
|
|
###### Specific Fields Lists ######
|
|
|
|
###### Specific Fields Lists ######
|
|
|
|
[WinApp_Lookup_Event - EventCode Description]
|
|
|
|
[WinApp_Lookup_Event - EventCode Description]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
action.email.inline = 1
|
|
|
|
action.email.inline = 1
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
alert.digest_mode = True
|
|
|
|
alert.digest_mode = True
|
|
|
|
@ -214,7 +214,7 @@ search = eventtype=wineventlog_index_windows eventtype="wineventlog_common"\
|
|
|
|
| sort EventCode
|
|
|
|
| sort EventCode
|
|
|
|
|
|
|
|
|
|
|
|
[WinApp_Lookup_Event - EventCode]
|
|
|
|
[WinApp_Lookup_Event - EventCode]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
action.email.inline = 1
|
|
|
|
action.email.inline = 1
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
alert.digest_mode = True
|
|
|
|
alert.digest_mode = True
|
|
|
|
@ -229,7 +229,7 @@ search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" \
|
|
|
|
| sort EventCode
|
|
|
|
| sort EventCode
|
|
|
|
|
|
|
|
|
|
|
|
[WinApp_Lookup_Event - LogName]
|
|
|
|
[WinApp_Lookup_Event - LogName]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
action.email.inline = 1
|
|
|
|
action.email.inline = 1
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
alert.digest_mode = True
|
|
|
|
alert.digest_mode = True
|
|
|
|
@ -244,7 +244,7 @@ search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" \
|
|
|
|
| sort LogName
|
|
|
|
| sort LogName
|
|
|
|
|
|
|
|
|
|
|
|
[WinApp_Lookup_Event - TaskCategory]
|
|
|
|
[WinApp_Lookup_Event - TaskCategory]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
alert.track = 0
|
|
|
|
alert.track = 0
|
|
|
|
dispatch.earliest_time = @d
|
|
|
|
dispatch.earliest_time = @d
|
|
|
|
@ -256,7 +256,7 @@ search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" \
|
|
|
|
| sort TaskCategory
|
|
|
|
| sort TaskCategory
|
|
|
|
|
|
|
|
|
|
|
|
[WinApp_Lookup_Perfmon - Combined]
|
|
|
|
[WinApp_Lookup_Perfmon - Combined]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
alert.track = 0
|
|
|
|
alert.track = 0
|
|
|
|
dispatch.earliest_time = @d
|
|
|
|
dispatch.earliest_time = @d
|
|
|
|
@ -269,7 +269,7 @@ search = eventtype=perfmon_index_windows eventtype="perfmon_windows" object=* \
|
|
|
|
| sort object, counter, instance
|
|
|
|
| sort object, counter, instance
|
|
|
|
|
|
|
|
|
|
|
|
[WinApp_Lookup_Perfmon - Object]
|
|
|
|
[WinApp_Lookup_Perfmon - Object]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
alert.track = 0
|
|
|
|
alert.track = 0
|
|
|
|
dispatch.earliest_time = @d
|
|
|
|
dispatch.earliest_time = @d
|
|
|
|
@ -281,7 +281,7 @@ search = eventtype=perfmon_index_windows eventtype="perfmon_windows" object=* \
|
|
|
|
| sort object
|
|
|
|
| sort object
|
|
|
|
|
|
|
|
|
|
|
|
[WinApp_Lookup_Perfmon - Collections, Object, and counters]
|
|
|
|
[WinApp_Lookup_Perfmon - Collections, Object, and counters]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
alert.track = 0
|
|
|
|
alert.track = 0
|
|
|
|
dispatch.earliest_time = @d
|
|
|
|
dispatch.earliest_time = @d
|
|
|
|
@ -293,7 +293,7 @@ search = eventtype=perfmon_index_windows eventtype="perfmon_windows" object=* \
|
|
|
|
| sort object
|
|
|
|
| sort object
|
|
|
|
|
|
|
|
|
|
|
|
[WinApp_Lookup_Perfmon - counters and instances]
|
|
|
|
[WinApp_Lookup_Perfmon - counters and instances]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
alert.track = 0
|
|
|
|
alert.track = 0
|
|
|
|
dispatch.earliest_time = @d
|
|
|
|
dispatch.earliest_time = @d
|
|
|
|
@ -305,7 +305,7 @@ search = eventtype=perfmon_index_windows eventtype="perfmon_windows" object=* \
|
|
|
|
| stats values(instance) as Perfmon_instances by Perfmon_counters
|
|
|
|
| stats values(instance) as Perfmon_instances by Perfmon_counters
|
|
|
|
|
|
|
|
|
|
|
|
[WinApp_Lookup_Perfmon - Host]
|
|
|
|
[WinApp_Lookup_Perfmon - Host]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
alert.track = 0
|
|
|
|
alert.track = 0
|
|
|
|
dispatch.earliest_time = 0
|
|
|
|
dispatch.earliest_time = 0
|
|
|
|
@ -323,7 +323,7 @@ search = | inputlookup windows_perfmon_system\
|
|
|
|
######################################################
|
|
|
|
######################################################
|
|
|
|
|
|
|
|
|
|
|
|
[WinApp_Lookup_Build_Perfmon - Update - Server]
|
|
|
|
[WinApp_Lookup_Build_Perfmon - Update - Server]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
action.email.inline = 1
|
|
|
|
action.email.inline = 1
|
|
|
|
alert.digest_mode = True
|
|
|
|
alert.digest_mode = True
|
|
|
|
alert.severity = 1
|
|
|
|
alert.severity = 1
|
|
|
|
@ -341,7 +341,7 @@ search = eventtype=perfmon_index_windows eventtype="perfmon_windows" object=* \
|
|
|
|
| outputlookup windows_perfmon_system append=true
|
|
|
|
| outputlookup windows_perfmon_system append=true
|
|
|
|
|
|
|
|
|
|
|
|
[WinApp_Lookup_Build_Event - Update - Server]
|
|
|
|
[WinApp_Lookup_Build_Event - Update - Server]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
is_visible = true
|
|
|
|
is_visible = true
|
|
|
|
action.email.inline = 1
|
|
|
|
action.email.inline = 1
|
|
|
|
alert.digest_mode = True
|
|
|
|
alert.digest_mode = True
|
|
|
|
@ -360,7 +360,7 @@ search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" \
|
|
|
|
| outputlookup windows_event_system append=true
|
|
|
|
| outputlookup windows_event_system append=true
|
|
|
|
|
|
|
|
|
|
|
|
[WinApp_Lookup_Build_Hostmon - Update - Server]
|
|
|
|
[WinApp_Lookup_Build_Hostmon - Update - Server]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
is_visible = true
|
|
|
|
is_visible = true
|
|
|
|
action.email.inline = 1
|
|
|
|
action.email.inline = 1
|
|
|
|
alert.digest_mode = True
|
|
|
|
alert.digest_mode = True
|
|
|
|
@ -379,7 +379,7 @@ search = eventtype=windows_index_windows eventtype="hostmon_windows" \
|
|
|
|
| outputlookup windows_hostmon_system append=true
|
|
|
|
| outputlookup windows_hostmon_system append=true
|
|
|
|
|
|
|
|
|
|
|
|
[WinApp_Lookup_Build_Netmon - Update - Server]
|
|
|
|
[WinApp_Lookup_Build_Netmon - Update - Server]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
is_visible = true
|
|
|
|
is_visible = true
|
|
|
|
action.email.inline = 1
|
|
|
|
action.email.inline = 1
|
|
|
|
alert.digest_mode = True
|
|
|
|
alert.digest_mode = True
|
|
|
|
@ -398,7 +398,7 @@ search = eventtype=windows_index_windows eventtype="netmon_windows" \
|
|
|
|
| outputlookup windows_netmon_system append=true
|
|
|
|
| outputlookup windows_netmon_system append=true
|
|
|
|
|
|
|
|
|
|
|
|
[WinApp_Lookup_Build_Printmon - Update]
|
|
|
|
[WinApp_Lookup_Build_Printmon - Update]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
is_visible = true
|
|
|
|
is_visible = true
|
|
|
|
action.email.inline = 1
|
|
|
|
action.email.inline = 1
|
|
|
|
alert.digest_mode = True
|
|
|
|
alert.digest_mode = True
|
|
|
|
@ -423,7 +423,7 @@ search = eventtype=windows_index_windows sourcetype=WinPrintMon \
|
|
|
|
######################################################
|
|
|
|
######################################################
|
|
|
|
|
|
|
|
|
|
|
|
[WinApp_Lookup_Build_Perfmon - CreateNew - Server]
|
|
|
|
[WinApp_Lookup_Build_Perfmon - CreateNew - Server]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
action.email.inline = 1
|
|
|
|
action.email.inline = 1
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
alert.digest_mode = True
|
|
|
|
alert.digest_mode = True
|
|
|
|
@ -439,7 +439,7 @@ search = eventtype=perfmon_index_windows eventtype="perfmon_windows" object=* ea
|
|
|
|
| outputlookup windows_perfmon_system
|
|
|
|
| outputlookup windows_perfmon_system
|
|
|
|
|
|
|
|
|
|
|
|
[WinApp_Lookup_Build_Netmon - CreateNew - Server]
|
|
|
|
[WinApp_Lookup_Build_Netmon - CreateNew - Server]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
action.email.inline = 1
|
|
|
|
action.email.inline = 1
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
alert.digest_mode = True
|
|
|
|
alert.digest_mode = True
|
|
|
|
@ -454,7 +454,7 @@ search = eventtype=windows_index_windows eventtype="netmon_windows" \
|
|
|
|
| outputlookup windows_netmon_system
|
|
|
|
| outputlookup windows_netmon_system
|
|
|
|
|
|
|
|
|
|
|
|
[WinApp_Lookup_Build_Printmon - CreateNew]
|
|
|
|
[WinApp_Lookup_Build_Printmon - CreateNew]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
action.email.inline = 1
|
|
|
|
action.email.inline = 1
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
alert.digest_mode = True
|
|
|
|
alert.digest_mode = True
|
|
|
|
@ -472,7 +472,7 @@ search = eventtype=windows_index_windows sourcetype=WinPrintMon \
|
|
|
|
| outputlookup windows_printmon
|
|
|
|
| outputlookup windows_printmon
|
|
|
|
|
|
|
|
|
|
|
|
[WinApp_Lookup_Build_Event - CreateNew - Server]
|
|
|
|
[WinApp_Lookup_Build_Event - CreateNew - Server]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
action.email.inline = 1
|
|
|
|
action.email.inline = 1
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
alert.digest_mode = True
|
|
|
|
alert.digest_mode = True
|
|
|
|
@ -492,7 +492,7 @@ search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" \
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[WinApp_Lookup_Build_Hostmon - CreateNew - Server]
|
|
|
|
[WinApp_Lookup_Build_Hostmon - CreateNew - Server]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
action.email.inline = 1
|
|
|
|
action.email.inline = 1
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
alert.digest_mode = True
|
|
|
|
alert.digest_mode = True
|
|
|
|
@ -515,7 +515,7 @@ search = eventtype=windows_index_windows eventtype="hostmon_windows"\
|
|
|
|
####################################
|
|
|
|
####################################
|
|
|
|
|
|
|
|
|
|
|
|
[Generic event counts]
|
|
|
|
[Generic event counts]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
alert.track = 0
|
|
|
|
alert.track = 0
|
|
|
|
dispatch.earliest_time = -60m@m
|
|
|
|
dispatch.earliest_time = -60m@m
|
|
|
|
@ -527,7 +527,7 @@ search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" \
|
|
|
|
| stats count by LogName, EventCode, Keywords, TaskCategory, Type
|
|
|
|
| stats count by LogName, EventCode, Keywords, TaskCategory, Type
|
|
|
|
|
|
|
|
|
|
|
|
[Event categories and counts by host for the last 30 days]
|
|
|
|
[Event categories and counts by host for the last 30 days]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
alert.track = 0
|
|
|
|
alert.track = 0
|
|
|
|
dispatch.earliest_time = -30d@d
|
|
|
|
dispatch.earliest_time = -30d@d
|
|
|
|
@ -545,7 +545,7 @@ search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" \
|
|
|
|
| table Host_Count, Event_Category_Count
|
|
|
|
| table Host_Count, Event_Category_Count
|
|
|
|
|
|
|
|
|
|
|
|
[Event severity counts by host for the last 30 days]
|
|
|
|
[Event severity counts by host for the last 30 days]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
action.email.inline = 1
|
|
|
|
action.email.inline = 1
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
alert.digest_mode = True
|
|
|
|
alert.digest_mode = True
|
|
|
|
@ -568,7 +568,7 @@ search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" (Eve
|
|
|
|
| table host *
|
|
|
|
| table host *
|
|
|
|
|
|
|
|
|
|
|
|
[Event severity counts by host for the last 7 days]
|
|
|
|
[Event severity counts by host for the last 7 days]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
action.email.inline = 1
|
|
|
|
action.email.inline = 1
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
alert.digest_mode = True
|
|
|
|
alert.digest_mode = True
|
|
|
|
@ -591,7 +591,7 @@ search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" (Eve
|
|
|
|
| table host *
|
|
|
|
| table host *
|
|
|
|
|
|
|
|
|
|
|
|
[Event severity counts by host for the last 24 hours]
|
|
|
|
[Event severity counts by host for the last 24 hours]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
action.email.inline = 1
|
|
|
|
action.email.inline = 1
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
alert.digest_mode = True
|
|
|
|
alert.digest_mode = True
|
|
|
|
@ -619,7 +619,7 @@ search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" (Eve
|
|
|
|
######################################
|
|
|
|
######################################
|
|
|
|
|
|
|
|
|
|
|
|
[Performance counter categories and counts by host for the last 7 days]
|
|
|
|
[Performance counter categories and counts by host for the last 7 days]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
alert.track = 0
|
|
|
|
alert.track = 0
|
|
|
|
dispatch.earliest_time = -7d@h
|
|
|
|
dispatch.earliest_time = -7d@h
|
|
|
|
@ -632,7 +632,7 @@ search = eventtype=perfmon_index_windows eventtype="perfmon_windows" \
|
|
|
|
| sort Host
|
|
|
|
| sort Host
|
|
|
|
|
|
|
|
|
|
|
|
[Number of hosts with Average CPU utilization > 80% in the last 24 hours]
|
|
|
|
[Number of hosts with Average CPU utilization > 80% in the last 24 hours]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
dispatch.earliest_time = -24h
|
|
|
|
dispatch.earliest_time = -24h
|
|
|
|
dispatch.latest_time = now
|
|
|
|
dispatch.latest_time = now
|
|
|
|
dispatch.ttl = 2p
|
|
|
|
dispatch.ttl = 2p
|
|
|
|
@ -643,7 +643,7 @@ search = eventtype=perfmon_index_windows eventtype=perfmon_windows Host=* object
|
|
|
|
|
|
|
|
|
|
|
|
[Average Memory utilization per process, host in the last 24 hours]
|
|
|
|
[Average Memory utilization per process, host in the last 24 hours]
|
|
|
|
action.email.sendresults = 0
|
|
|
|
action.email.sendresults = 0
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
dispatch.earliest_time = -24h
|
|
|
|
dispatch.earliest_time = -24h
|
|
|
|
dispatch.latest_time = now
|
|
|
|
dispatch.latest_time = now
|
|
|
|
dispatch.ttl = 2p
|
|
|
|
dispatch.ttl = 2p
|
|
|
|
@ -654,7 +654,7 @@ search = eventtype=perfmon_index_windows eventtype=perfmon_windows object=Proces
|
|
|
|
|
|
|
|
|
|
|
|
[Average CPU utilization per process, host in the last 24 hours]
|
|
|
|
[Average CPU utilization per process, host in the last 24 hours]
|
|
|
|
action.email.sendresults = 0
|
|
|
|
action.email.sendresults = 0
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
dispatch.earliest_time = -24h
|
|
|
|
dispatch.earliest_time = -24h
|
|
|
|
dispatch.latest_time = now
|
|
|
|
dispatch.latest_time = now
|
|
|
|
dispatch.ttl = 2p
|
|
|
|
dispatch.ttl = 2p
|
|
|
|
@ -668,7 +668,7 @@ search = eventtype=perfmon_index_windows eventtype=perfmon_windows object=Proces
|
|
|
|
#############################################
|
|
|
|
#############################################
|
|
|
|
|
|
|
|
|
|
|
|
[Application crash count in the last 24 hours]
|
|
|
|
[Application crash count in the last 24 hours]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
action.email.inline = 1
|
|
|
|
action.email.inline = 1
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
alert.digest_mode = True
|
|
|
|
alert.digest_mode = True
|
|
|
|
@ -681,7 +681,7 @@ search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" Even
|
|
|
|
| timechart count by application
|
|
|
|
| timechart count by application
|
|
|
|
|
|
|
|
|
|
|
|
[Application crash count in the last 7 days]
|
|
|
|
[Application crash count in the last 7 days]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
action.email.inline = 1
|
|
|
|
action.email.inline = 1
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
alert.digest_mode = True
|
|
|
|
alert.digest_mode = True
|
|
|
|
@ -694,7 +694,7 @@ search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" Even
|
|
|
|
| timechart count by application
|
|
|
|
| timechart count by application
|
|
|
|
|
|
|
|
|
|
|
|
[Application crash count in the last 30 days]
|
|
|
|
[Application crash count in the last 30 days]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
action.email.inline = 1
|
|
|
|
action.email.inline = 1
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
alert.digest_mode = True
|
|
|
|
alert.digest_mode = True
|
|
|
|
@ -711,7 +711,7 @@ search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" Even
|
|
|
|
##############################################
|
|
|
|
##############################################
|
|
|
|
|
|
|
|
|
|
|
|
[Count of total installs per user for the last 7 days]
|
|
|
|
[Count of total installs per user for the last 7 days]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
alert.track = 0
|
|
|
|
alert.track = 0
|
|
|
|
dispatch.earliest_time = -7d@h
|
|
|
|
dispatch.earliest_time = -7d@h
|
|
|
|
@ -723,7 +723,7 @@ search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" Sour
|
|
|
|
| sort -count
|
|
|
|
| sort -count
|
|
|
|
|
|
|
|
|
|
|
|
[Count of total installs per user each day for the last 7 days]
|
|
|
|
[Count of total installs per user each day for the last 7 days]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
alert.track = 0
|
|
|
|
alert.track = 0
|
|
|
|
dispatch.earliest_time = -7d@h
|
|
|
|
dispatch.earliest_time = -7d@h
|
|
|
|
@ -734,7 +734,7 @@ search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" Sour
|
|
|
|
| timechart count by User
|
|
|
|
| timechart count by User
|
|
|
|
|
|
|
|
|
|
|
|
[System_App Installs - By Host - Timechart - 7days]
|
|
|
|
[System_App Installs - By Host - Timechart - 7days]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
alert.track = 0
|
|
|
|
alert.track = 0
|
|
|
|
dispatch.earliest_time = -7d@h
|
|
|
|
dispatch.earliest_time = -7d@h
|
|
|
|
@ -747,7 +747,7 @@ search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" Sour
|
|
|
|
| timechart span=1d count by host
|
|
|
|
| timechart span=1d count by host
|
|
|
|
|
|
|
|
|
|
|
|
[Count of total installs per Application each day for the last 7 days]
|
|
|
|
[Count of total installs per Application each day for the last 7 days]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
alert.track = 0
|
|
|
|
alert.track = 0
|
|
|
|
dispatch.earliest_time = -7d@h
|
|
|
|
dispatch.earliest_time = -7d@h
|
|
|
|
@ -759,7 +759,7 @@ search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" Sour
|
|
|
|
| timechart span=1d count by product_name
|
|
|
|
| timechart span=1d count by product_name
|
|
|
|
|
|
|
|
|
|
|
|
[List of Applications, Time of install, User and Host for the last 7 days]
|
|
|
|
[List of Applications, Time of install, User and Host for the last 7 days]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
alert.track = 0
|
|
|
|
alert.track = 0
|
|
|
|
dispatch.earliest_time = -7d@h
|
|
|
|
dispatch.earliest_time = -7d@h
|
|
|
|
@ -780,7 +780,7 @@ action.email.inline = 1
|
|
|
|
alert.digest_mode = True
|
|
|
|
alert.digest_mode = True
|
|
|
|
alert.suppress = 0
|
|
|
|
alert.suppress = 0
|
|
|
|
alert.track = 0
|
|
|
|
alert.track = 0
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
dispatch.earliest_time = -7d
|
|
|
|
dispatch.earliest_time = -7d
|
|
|
|
dispatch.latest_time = now
|
|
|
|
dispatch.latest_time = now
|
|
|
|
search = eventtype=windows_index_windows OR eventtype=wineventlog_index_windows NOT [ search eventtype="Update_Successful_windows" | dedup package, host | fields + host, package ] \
|
|
|
|
search = eventtype=windows_index_windows OR eventtype=wineventlog_index_windows NOT [ search eventtype="Update_Successful_windows" | dedup package, host | fields + host, package ] \
|
|
|
|
@ -796,7 +796,7 @@ action.email.inline = 1
|
|
|
|
alert.digest_mode = True
|
|
|
|
alert.digest_mode = True
|
|
|
|
alert.suppress = 0
|
|
|
|
alert.suppress = 0
|
|
|
|
alert.track = 0
|
|
|
|
alert.track = 0
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
dispatch.earliest_time = -30d@d
|
|
|
|
dispatch.earliest_time = -30d@d
|
|
|
|
dispatch.latest_time = now
|
|
|
|
dispatch.latest_time = now
|
|
|
|
displayview = search
|
|
|
|
displayview = search
|
|
|
|
@ -822,7 +822,7 @@ action.email.inline = 1
|
|
|
|
alert.digest_mode = True
|
|
|
|
alert.digest_mode = True
|
|
|
|
alert.suppress = 0
|
|
|
|
alert.suppress = 0
|
|
|
|
alert.track = 0
|
|
|
|
alert.track = 0
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
dispatch.earliest_time = -7d
|
|
|
|
dispatch.earliest_time = -7d
|
|
|
|
dispatch.latest_time = now
|
|
|
|
dispatch.latest_time = now
|
|
|
|
search = eventtype=windows_index_windows OR eventtype=wineventlog_index_windows eventtype="Update_Successful_windows" \
|
|
|
|
search = eventtype=windows_index_windows OR eventtype=wineventlog_index_windows eventtype="Update_Successful_windows" \
|
|
|
|
@ -833,7 +833,7 @@ search = eventtype=windows_index_windows OR eventtype=wineventlog_index_windows
|
|
|
|
|
|
|
|
|
|
|
|
[List of shutdowns for last 30 days]
|
|
|
|
[List of shutdowns for last 30 days]
|
|
|
|
action.email.sendresults = 0
|
|
|
|
action.email.sendresults = 0
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
dispatch.earliest_time = -30d@d
|
|
|
|
dispatch.earliest_time = -30d@d
|
|
|
|
dispatch.latest_time = now
|
|
|
|
dispatch.latest_time = now
|
|
|
|
relation = None
|
|
|
|
relation = None
|
|
|
|
@ -843,7 +843,7 @@ search = eventtype=wineventlog_index_windows source=wineventlog:system "EventCod
|
|
|
|
|
|
|
|
|
|
|
|
[List of unexpected service terminations for the last 30 days]
|
|
|
|
[List of unexpected service terminations for the last 30 days]
|
|
|
|
action.email.sendresults = 0
|
|
|
|
action.email.sendresults = 0
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
dispatch.earliest_time = -30d@d
|
|
|
|
dispatch.earliest_time = -30d@d
|
|
|
|
dispatch.latest_time = now
|
|
|
|
dispatch.latest_time = now
|
|
|
|
relation = None
|
|
|
|
relation = None
|
|
|
|
@ -853,7 +853,7 @@ search = eventtype=wineventlog_index_windows source=wineventlog:system terminate
|
|
|
|
|
|
|
|
|
|
|
|
[List of failed service starts for the last 30 days]
|
|
|
|
[List of failed service starts for the last 30 days]
|
|
|
|
action.email.sendresults = 0
|
|
|
|
action.email.sendresults = 0
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
dispatch.earliest_time = -30d@d
|
|
|
|
dispatch.earliest_time = -30d@d
|
|
|
|
dispatch.latest_time = now
|
|
|
|
dispatch.latest_time = now
|
|
|
|
relation = None
|
|
|
|
relation = None
|
|
|
|
@ -863,7 +863,7 @@ search = eventtype=wineventlog_index_windows source=wineventlog:system SourceNam
|
|
|
|
|
|
|
|
|
|
|
|
[WinMgmt_Security_Logon_Success Overall by Host]
|
|
|
|
[WinMgmt_Security_Logon_Success Overall by Host]
|
|
|
|
alert.track = 0
|
|
|
|
alert.track = 0
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
dispatch.earliest_time = -7d@h
|
|
|
|
dispatch.earliest_time = -7d@h
|
|
|
|
dispatch.latest_time = now
|
|
|
|
dispatch.latest_time = now
|
|
|
|
displayview = search
|
|
|
|
displayview = search
|
|
|
|
@ -876,7 +876,7 @@ search = eventtype=wineventlog_index_windows eventtype="wineventlog_common"("Eve
|
|
|
|
|
|
|
|
|
|
|
|
[WinMgmt_Security_Logon_Success Overtime]
|
|
|
|
[WinMgmt_Security_Logon_Success Overtime]
|
|
|
|
alert.track = 0
|
|
|
|
alert.track = 0
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
dispatch.earliest_time = -7d@h
|
|
|
|
dispatch.earliest_time = -7d@h
|
|
|
|
dispatch.latest_time = now
|
|
|
|
dispatch.latest_time = now
|
|
|
|
displayview = search
|
|
|
|
displayview = search
|
|
|
|
@ -888,7 +888,7 @@ search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" ("Ev
|
|
|
|
|
|
|
|
|
|
|
|
[WinMgmt_Security_Logon_Unsuccessful]
|
|
|
|
[WinMgmt_Security_Logon_Unsuccessful]
|
|
|
|
alert.track = 0
|
|
|
|
alert.track = 0
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
dispatch.earliest_time = -7d@h
|
|
|
|
dispatch.earliest_time = -7d@h
|
|
|
|
dispatch.latest_time = now
|
|
|
|
dispatch.latest_time = now
|
|
|
|
displayview = search
|
|
|
|
displayview = search
|
|
|
|
@ -901,7 +901,7 @@ search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" ("Ev
|
|
|
|
|
|
|
|
|
|
|
|
[WinMgmt_System_Reboot Overtime]
|
|
|
|
[WinMgmt_System_Reboot Overtime]
|
|
|
|
alert.track = 0
|
|
|
|
alert.track = 0
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
dispatch.earliest_time = -7d@h
|
|
|
|
dispatch.earliest_time = -7d@h
|
|
|
|
dispatch.latest_time = now
|
|
|
|
dispatch.latest_time = now
|
|
|
|
displayview = search
|
|
|
|
displayview = search
|
|
|
|
@ -927,7 +927,7 @@ search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" Even
|
|
|
|
##########################################
|
|
|
|
##########################################
|
|
|
|
|
|
|
|
|
|
|
|
[WinApp_Lookup_Build_Hostmon_Machine - Update - Detail]
|
|
|
|
[WinApp_Lookup_Build_Hostmon_Machine - Update - Detail]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
is_visible = true
|
|
|
|
is_visible = true
|
|
|
|
action.email.inline = 1
|
|
|
|
action.email.inline = 1
|
|
|
|
alert.digest_mode = True
|
|
|
|
alert.digest_mode = True
|
|
|
|
@ -946,7 +946,7 @@ search = eventtype=windows_index_windows eventtype="hostmon_windows" Type=Operat
|
|
|
|
| outputlookup windows_hostmon_machine_details append=true
|
|
|
|
| outputlookup windows_hostmon_machine_details append=true
|
|
|
|
|
|
|
|
|
|
|
|
[WinApp_Lookup_Build_Hostmon_Machine - CreateNew - Detail]
|
|
|
|
[WinApp_Lookup_Build_Hostmon_Machine - CreateNew - Detail]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
action.email.inline = 1
|
|
|
|
action.email.inline = 1
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
alert.digest_mode = True
|
|
|
|
alert.digest_mode = True
|
|
|
|
@ -962,7 +962,7 @@ search = eventtype=windows_index_windows eventtype="hostmon_windows" Type=Operat
|
|
|
|
| outputlookup windows_hostmon_machine_details
|
|
|
|
| outputlookup windows_hostmon_machine_details
|
|
|
|
|
|
|
|
|
|
|
|
[WinApp_Lookup_Build_Hostmon_FS - Update - Detail]
|
|
|
|
[WinApp_Lookup_Build_Hostmon_FS - Update - Detail]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
is_visible = true
|
|
|
|
is_visible = true
|
|
|
|
action.email.inline = 1
|
|
|
|
action.email.inline = 1
|
|
|
|
alert.digest_mode = True
|
|
|
|
alert.digest_mode = True
|
|
|
|
@ -982,7 +982,7 @@ search = eventtype=windows_index_windows eventtype=hostmon_windows Type=Disk \
|
|
|
|
| outputlookup windows_hostmon_fs_details append=true
|
|
|
|
| outputlookup windows_hostmon_fs_details append=true
|
|
|
|
|
|
|
|
|
|
|
|
[WinApp_Lookup_Build_Hostmon_FS - CreateNew - Detail]
|
|
|
|
[WinApp_Lookup_Build_Hostmon_FS - CreateNew - Detail]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
action.email.inline = 1
|
|
|
|
action.email.inline = 1
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
alert.digest_mode = True
|
|
|
|
alert.digest_mode = True
|
|
|
|
@ -999,7 +999,7 @@ search = eventtype=windows_index_windows eventtype=hostmon_windows Type=Disk \
|
|
|
|
| outputlookup windows_hostmon_fs_details
|
|
|
|
| outputlookup windows_hostmon_fs_details
|
|
|
|
|
|
|
|
|
|
|
|
[WinApp_Lookup_Build_Hostmon_Process - Update - Detail]
|
|
|
|
[WinApp_Lookup_Build_Hostmon_Process - Update - Detail]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
is_visible = true
|
|
|
|
is_visible = true
|
|
|
|
action.email.inline = 1
|
|
|
|
action.email.inline = 1
|
|
|
|
alert.digest_mode = True
|
|
|
|
alert.digest_mode = True
|
|
|
|
@ -1017,7 +1017,7 @@ search = eventtype=windows_index_windows eventtype=hostmon_windows Type=Process
|
|
|
|
| outputlookup windows_hostmon_process_details append=true
|
|
|
|
| outputlookup windows_hostmon_process_details append=true
|
|
|
|
|
|
|
|
|
|
|
|
[WinApp_Lookup_Build_Hostmon_Process - CreateNew - Detail]
|
|
|
|
[WinApp_Lookup_Build_Hostmon_Process - CreateNew - Detail]
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
action.email.inline = 1
|
|
|
|
action.email.inline = 1
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
action.email.reportServerEnabled = 0
|
|
|
|
alert.digest_mode = True
|
|
|
|
alert.digest_mode = True
|
|
|
|
@ -1051,7 +1051,7 @@ cron_schedule = */15 * * * *
|
|
|
|
dispatch.earliest_time = -60m
|
|
|
|
dispatch.earliest_time = -60m
|
|
|
|
dispatch.latest_time = now
|
|
|
|
dispatch.latest_time = now
|
|
|
|
enableSched = 1
|
|
|
|
enableSched = 1
|
|
|
|
disabled = 1
|
|
|
|
disabled = 0
|
|
|
|
search = eventtype=msad_index_windows eventtype="msad-dc-health" | dedup host\
|
|
|
|
search = eventtype=msad_index_windows eventtype="msad-dc-health" | dedup host\
|
|
|
|
|eval entity_title=host\
|
|
|
|
|eval entity_title=host\
|
|
|
|
|eval entity_type="Active Directory"\
|
|
|
|
|eval entity_type="Active Directory"\
|
|
|
|
|
