Hi Dominique
This is the event log 'Level' filter.
The client uses the Windows event log filtering capabilities built into Windows. You can try these out yourself in Event Viewer by navigating to the Security log and selecting Filter Current Log….
You will see when doing this that despite selecting the security log, for level the window only offers you Critical, Warning, Verbose, Error or Information and not Audit Failure / Success. You should find that playing with the options, on the Security log, only "Information" actually returns anything.
Looking at the columns for Security log, you should see that the first column changes from Level to Keywords, and that Audit Failure/Success are actually keywords and not a level.
Unfortunately for these reasons it appears there is no way to filter on Audit Failure, unless you can configure an alert with a regex to look specifically for some text in the message that relates to the failure or the event id.
Zak
From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Dominique Frise Sent: 25 February 2016 11:00 To: xymon at xymon.com Subject: [Xymon] XymonPSClient and Security eventlog
Hi,
Question regarding alerting on Security event_log.
Extract from xymonclient.ps1:
# default logs - may be overridden by config
$wantedlogs = "Application", "System", "Security"
$wantedLevels = @('Critical', 'Warning', 'Error', 'Information', 'Verbose')
$maxpayloadlength = 1024
$payload = ''When problems occurr, "Warning", "Critical or "Error" are reported in Application and System event_log,
but in the Security event_log "Audit Failure" will be reported.
We don't see how this condition is handled.
Did we missed something ?
Thanks,
Dominique Frise - UNIL