TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ----------------------------------------------------------------------------
Hi Chris, make sure your signature does contain the correct event source, category, regexp and audit information. Use the ISS event Config-log_files_deleted as a template to start from. What are you trying to achieve? ID 560 is very generic (Type: Success Audit, Description: Object Open), so you will have to scan through many events to pick up the right one. BR Karl Jaeger Chris Cunningham schrieb: > TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to > [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! > ---------------------------------------------------------------------------- > > We are using server sensors on WinNT, and would like to monitor event ID 560 > in the security event log. Our rule works fine for every other event ID > except for event ID 560. We have confirmed that the events are being > written to the logs. Any ideas would be appreciated. Has anyone else had > any luck using these rules? > > Thanks > > Chris R. Cunningham > Wilmington Trust -- ------------------------- BDG GmbH & Co.KG Make IT Safe! Wendelinstrasse 1 50933 K�ln Germany Tel: +49+221/954231-0 Fax: +49+221/954231-31 eMail: [EMAIL PROTECTED] Web: http://www.bdg.de -------------------------
