Cyberlink wrote:
> Hi.
>
> I am trying to set a rule to check the application log in windows.
>
> If for example, the server service is stoppped, event id 7036 is
> generated in the application log.
>
> I have this in the local_rules.xml:
>
> <rule id="100500" level="9">
> <id>^7036</id>
> <description>Server service stopped</description>
> </rule>
>
> The existing rule in the 18000 (windows security log) work fine... But
> the 10500 does not.
Hello Cyberlink. Try putting an if_sid in your rule, like this:
<rule id="100500" level="9">
<if_sid>18145</if_sid>
<id>^7036</id>
<description>Server service stopped</description>
</rule>
(Check the actual sid for the dependency-- not sure about this one)
--
Michael Starks
[I] Immutable Security
http://www.immutablesecurity.com
Information Security, Privacy and Personal Liberty
