Thank you. You are seeing exactly what I was as well. Tim
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Symons Sent: Wednesday, March 30, 2005 3:39 PM To: [email protected] Subject: RE: [WhatsUp Forum] Windows Event Monitor I tested this out. There is a defect and I have logged it. Basically we are getting everything EXCEPT the User info logged. And if it's not logged it's not accessible to the actions. An example... %Device.Address=xxx %PassiveMonitor.DisplayName=578 %PassiveMonitor.Payload.ComputerName=xxx %PassiveMonitor.Payload.Logfile=Security %PassiveMonitor.Payload.Type=audit success %PassiveMonitor.Payload.SourceName=Security %PassiveMonitor.Payload.Category=4 %PassiveMonitor.Payload.CategoryString=Privilege Use %PassiveMonitor.Payload.EventCode=578 %PassiveMonitor.Payload.EventID=578 %PassiveMonitor.Payload.TimeGenerated=20050330152212.000000-300 %PassiveMonitor.Payload.TimeWritten=20050330152212.000000-300 %PassiveMonitor.Payload.Message=Privileged object operation: Object Server: EventLog Object Handle: 12655744 Process ID: 576 Primary User Name: xxx Primary Domain: xxx Primary Logon ID: (0x0,0x3E7) Client User Name: xxx Client Domain: xxx Client Logon ID: (0x0,0x11A86) Privileges: SeSecurityPrivilege %PassiveMonitor.Payload.LogicalSource=xxx %PassiveMonitor.Payload.PhysicalSource=xxx %PassiveMonitor.Payload.EventType=Windows Event Log ie, no %PassiveMonitor.Payload.User Mark Symons Ipswitch, Inc Augusta GA -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Tuesday, March 29, 2005 4:21 PM To: [email protected] Subject: RE: [WhatsUp Forum] Windows Event Monitor I had tried that already and no where in the payload did I see the User data. I know that WUP can see this data because you can use it as condition in the monitor, I just can not see a way to display it in a %variable. Tim -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Symons Sent: Tuesday, March 29, 2005 2:48 PM To: [email protected] Subject: RE: [WhatsUp Forum] Windows Event Monitor Try this.. 1) Create an Action with message body: %PassiveMonitor.Payload.* 2) Attach it to the Passive Monitor that is watching for your Event ID #36. 3) When the Event occurs, the resulting email will resolve %PassiveMonitor.Payload.* and you will get a complete payload dump. The dump breaks down each item into separate % variables. i.e., %PassiveMonitor.Payload.a = xxx %PassiveMonitor.Payload.b = yyy %PassiveMonitor.Payload.c = zzz 4) Select whichever of these % variables has given you your "User" info and then edit the action to use that variable, perhaps with extra text to aid readability. i.e.: User who is over quota = %PassiveMonitor.Payload.e That's it. Mark Symons Ipswitch, Inc Augusta GA -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Tuesday, March 29, 2005 2:06 PM To: [email protected] Subject: [WhatsUp Forum] Windows Event Monitor Hi, I am using a passive monitor to watch for a specific windows event log entry. The particular event ID is 36 which is for Disk Quotas. However the message that is sent with this event is less than informative (A user hit their quota threshold on volume D:.) The Windows event however does contain the user account information that is over their quota in the User: field of the event. Is there a way to display this information in the email alert from WUP? Here is a copy of one of the event entries: Event Type: Information Event Source: Ntfs Event Category: Disk Event ID: 36 Date: 3/29/2005 Time: 12:39:27 PM User: domain\user Computer: OC03 Description: A user hit their quota threshold on volume D:. Data: 0000: 15 00 44 00 02 00 92 00 ..D...'. 0008: 02 00 00 00 24 00 04 40 ....$..@ 0010: 00 00 00 00 00 00 00 00 ........ 0018: 40 00 00 00 00 00 00 00 @....... 0020: 00 00 00 00 00 00 00 00 ........ 0028: 00 00 00 00 1c 00 00 00 ........ 0030: 32 71 6c 98 8e 34 c5 01 2ql~Z4�. 0038: 00 00 00 00 00 00 00 00 ........ 0040: 00 00 08 00 00 00 00 00 ........ 0048: 00 00 10 00 00 00 00 00 ........ Thanks for the assistance, Tim Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/whatsup_forum%40list.ipswitch.com/ Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/whatsup_forum%40list.ipswitch.com/ Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/whatsup_forum%40list.ipswitch.com/
