This article provides an answer to the query: How to create GFI EventsManager custom processing rules?
Using the Event Browser to identify fields
The GFI Events Browser enables you to view all events which have been captured by GFI EventsManager. This tool is useful to gather further information on each event processed and provides the information required to create your custom processing rules.
- The Events Browser can be found in the GFI EventsManager Management Console.
- Locate the event you wish to create a custom processing rule for.
- In the Events Browser, you can view the details of the particular event such as the Event ID and also additional field information included in some events. For the purpose of this article, a custom rule will be created to gather Event ID 592 and when a new Microsoft Management Console (mmc.exe) process is started.
Creating the custom rule
- Within the GFI EventsManager Management Console, click on the Configuration button and select Event Processing Rules.
- Create a new folder to store your custom rules by clicking on the 'Create Folder' link in the Common Tasks section.
- Add the name for the folder such as 'Custom Rules'.
- Click on the 'Create new rule set' link in the Common Tasks section and give it a name (e.g. 'Detailed Tracking').
- To create the new rule, click on the 'Create new rule' link.
- Specify a name for the new rule, such as 'mmc.exe process created' and enter a brief description. Click Next to proceed.
- Select which type of event log(s) will apply to this rule. For this demonstration, 'Windows Security Event logs' is selected. Click Next to continue.
- Enter the type of filtering conditions are applied for this rule. In this demonstration, Event ID 592 will be entered. If you wish to perform advanced filters, click on the Advanced button and enter any additional filters by clicking on the Add button. In this example, the following Filter Restrictions were also added:
Field Name: Field 2
Select Field Operator: Contains the text
Enter Field Value: mmc.exe
- Click on Next to proceed through the wizard.
- Define the occurrence and importance of the rule. Click Next.
- Specify the actions needed to be taken when this rule is triggered and click Next.
- Click Finish to create the rule.
Changing the order of processing rules
When an event is collected in GFI EventsManager, the rules are processed from top to bottom. If you wish for your new custom event processing rules to have a higher priority within the Events Processing Rules list, perform the following procedure:
- Click on the newly created custom rules folder.
- While holding the CTRL key, press the up arrow key on your keyboard to increase priority (down arrow key will reduce priority). Note: This can also be done by right-clicking on the folder and selecting increase/decrease priority.
Finally, we need to assign the new custom rules for processing in our Event Sources. This can be done by performing the following procedure:
- In the GFI EventsMtgyanager Management Console, click on Configuration and select Event Sources.
- Right-click on the Event Sources Group you wish to assign this new processing rule and select Properties.
- In the Windows Event Log tab, ensure that the new processing rule is selected and enabled.
- Click on the OK button to save changes.
- Operational Functionality of the GFI EventsManager
- Obtaining a List of Processing Rules and Related Event IDs
1.2 This article has a duplicate that should be archived:
2.2 Changed header names based on Confluence Style Guide
2.4 Changed the title to Creating GFI EventsManager Custom Processing Rules
3.1 Changed labels to (AQI, gfi_comp_eventsmanager_event_processing_processing_rules)
3.2 No hyperlinks, images, and attachments in this article
4.1 Formatted headers to H1
4.2 Added proper punctuation marks and rephrased some sentences
4.3 Formatted all keywords to bold
4.4 No source code lines, queries, and scripts in this article