Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
420
Views
5
Helpful
3
Replies

How to configure MARS to interprete windows event and send email

Go to solution
guibarati
Level 4
Level 4

‎03-14-2008 11:29 AM - edited ‎03-09-2019 08:18 PM

Does anybody knows how to configure MARS to interprete a determinate log in windows events? The server is already configured in the mars and the events are being stored in MARS, I want to tell MARS "When you see an event with the text XXX, send it by email to abc@acme.com"

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mhellman
Level 7
Level 7

‎03-14-2008 12:36 PM

Sure, create an inspection rule using a keyword in the offset. Once you've tested it, add a notification action. The notification won't send the event though, just a link to the incident.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
mhellman
Level 7
Level 7

‎03-14-2008 12:36 PM

Sure, create an inspection rule using a keyword in the offset. Once you've tested it, add a notification action. The notification won't send the event though, just a link to the incident.

0 Helpful

Go to solution
guibarati
Level 4
Level 4
In response to mhellman

‎03-17-2008 06:31 AM

Hi, Thanks for the help, it clarify a lot the tasks I have to do.

Just one more thing, if I want to add a simple keyword it's just to write it down, with no "" or () or anything else?

Because I have done that, and triggered an event with the keyword but when I do a query for all matching events on that rule, nothing comes out.

and if i make a query with all matching events form a server, there is an event with the keyword I've defined.

Thanks

0 Helpful

Go to solution
mhellman
Level 7
Level 7
In response to guibarati

‎03-17-2008 03:28 PM

"if I want to add a simple keyword it's just to write it down, with no "" or () or anything else? "

yes.

"Because I have done that, and triggered an event with the keyword but"

creating inspection rules are a little wierd at first. When to use values of none/any/etc is not very clear. I would start with a query t find the matching event. Use a result format of "all matching events" and select the "real time" filter. Enter your keyword and then submit. Now generate the event on the reporting device. You should see it in the query. If you do, let's make a rule out of it. Edit the query type and change the filter to "last 10 minutes". Click apply. Now click "Save as rule". Enter the rest of the rule information and submit it.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents