Forum Discussion
I agree Windows event handling really needs an overhaul. It would be probably a lot better to build out an ELK stack with a script eventsource to pull exceptions into LM, but I have to stand something up and give it a try. Of course, this is not really feasible unless your collectors are sturdy enough to handle both LM and the log analysis. Even with the basic Windows event source, normal filtering is too limited, and I have found it very difficult to successfully write a complex filter since there is no "Test" capability in the eventsource creator screen (would love to see this capability). In your case, there have been other threads I've seen that requesting an "event repeat" counter, and this of course would work very well to limit alerting if the counter value was available to decide whether an alert should fire instead of the way alerts trigger now. Ideally, a much more rich capability (e.g., like SEC or a limited correlation capability like nxlog-ce) would be welcome -- perhaps in addition to counters, an ability to record an event as active without an alert and to be able to reference that in another event check as a way to correlate before triggering alerts.
Regards,
Mark
Related Content
- 2 years ago