Creating a custom rule
You can create your own custom rules by following these steps:
- Open the LANguard S.E.L.M. configuration.
- Go to the Event Categorization > Custom Rules node.
- Now select what type of custom rule you wish to create: You can create a custom rule for a Security log event, an Application log event, a DNS Server log event, a Directory Services log event, a File Replication log event, a System log event and a GFI System Integrity Checker log event.
- To create the Custom Rule, right - click on the node of the corresponding event log for which you wish to create the custom rule, and select 'New Rule'
- A new rule with a default name will be created. To rename the new rule just right click on the new rule and select Rename.
- After the new rule is added a dialog containing the rule's properties will automatically appear.
Event(s)
Events which can trigger this custom rule.
In this dialog you specify the events & any event restrictions that will trigger the custom rule. For example, you want to monitor a successful logon on particular machine coming from a specific user. In that case you would have to add the event ID for successful logons and further customize it to apply only to a particular user. To add an Event Condition:
- Click on the Add…button. This will allow you to add an Event to the event conditions. Add an Event by specifying its Event ID, for example 528 which is the Event ID for successful logons.
Adding an Event Condition
- After you click OK, the Event condition will be created. Unless you just want to monitor that particular event ID, without any further filtering restrictions on that event ID, you will need to specify the properties of the event you just added. You can do this by double-clicking on the Event Condition or by using the edit… button.
Specifying the event condition restrictions/filter
- In the Event restrictions dialog you can specify further filtering restrictions for the Event ID. You can specify a filter condition for the following fields: Source, Category, Event Type and User. You can also add filter conditions for other fields that are particular to an event. Fields which have a filter condition specified will have their field titles displayed in dark blue. If you do not specify a filter for a field, no restriction filter will apply for that field.
- If you want to add a filter for custom fields, i.e. fields that are not displayed in the Event Condition properties dialog, click on the Add button in the bottom of the dialog. This will bring up the 'Edit field restrictions' dialog. In this dialog you can select the field from the top list, select the operator and edit the restriction value.
Edit field restrictions
Actions
In this dialog you can specify what should be done if a custom rule is triggered.
Configuring the action that should be taken
You can select one of the following actions to be taken when an event meets the rule's filtering criteria:
Ignore the event – The event will be ignored. This is very useful for reducing noise and false positive event notifications. You may receive important event notifications which you may not want to store in the database on their occurrence. This also can help in reducing the growth rate of the database backend.
Send administrative e-mail notification – This will send an email to the e-mail address specified in the email alerting options page of the configuration.
Archive a copy of the event in the database – This will archive the event that triggered the rule to the backend database. For e.g. you may want to monitor events in the application / system logs and be notified when some event happens, however you may not need to store it in the database backend. NOTE : Events which trigger this rule and are stored in the database backend will have a property set with which you can filter out using the LANguard S.E.L.M. event viewer which were the events which triggered custom rules. The name of this property is "triggered by a custom rule"
Classify security event as: - Here you can define what security level the event should be assigned. This will only be available for all purpose (custom) rules which apply to events retrieved from the security event log.
LANguard S.E.L.M. Event Viewer – filter rule properties
LANguard S.E.L.M. event viewer – filter set to show only events which triggered a custom rule in this event log.
General options
General options of a custom rule
In the general options dialog you can specify the computer name for which the rule applies and if the rule must apply only if a particular operating system is installed on the computer. This is very useful because an event which happens on an operating system version can have a different meaning when the same event happens on another operating system.
Rule Description
Here you can see the description of the rule.
Rule Summary
| 
