Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Bronze

How to configure MARS to interprete windows event and send email

Does anybody knows how to configure MARS to interprete a determinate log in windows events? The server is already configured in the mars and the events are being stored in MARS, I want to tell MARS "When you see an event with the text XXX, send it by email to abc@acme.com"

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Gold

Re: How to configure MARS to interprete windows event and send e

Sure, create an inspection rule using a keyword in the offset. Once you've tested it, add a notification action. The notification won't send the event though, just a link to the incident.

3 REPLIES
Gold

Re: How to configure MARS to interprete windows event and send e

Sure, create an inspection rule using a keyword in the offset. Once you've tested it, add a notification action. The notification won't send the event though, just a link to the incident.

Bronze

Re: How to configure MARS to interprete windows event and send e

Hi, Thanks for the help, it clarify a lot the tasks I have to do.

Just one more thing, if I want to add a simple keyword it's just to write it down, with no "" or () or anything else?

Because I have done that, and triggered an event with the keyword but when I do a query for all matching events on that rule, nothing comes out.

and if i make a query with all matching events form a server, there is an event with the keyword I've defined.

Thanks

Gold

Re: How to configure MARS to interprete windows event and send e

"if I want to add a simple keyword it's just to write it down, with no "" or () or anything else? "

yes.

"Because I have done that, and triggered an event with the keyword but"

creating inspection rules are a little wierd at first. When to use values of none/any/etc is not very clear. I would start with a query t find the matching event. Use a result format of "all matching events" and select the "real time" filter. Enter your keyword and then submit. Now generate the event on the reporting device. You should see it in the query. If you do, let's make a rule out of it. Edit the query type and change the filter to "last 10 minutes". Click apply. Now click "Save as rule". Enter the rest of the rule information and submit it.

129
Views
5
Helpful
3
Replies
CreatePlease to create content