Single Package - Two Filters with Same Event Number

+2 votes
asked May 4 in EventSentry by farmer mike (140 points)
I'd like to create a single package containing two filters, but both filters are for the same event.  However, each event would match different details.  For example, using event 4728 "A member was added to a security-enabled global group".  If the group is X, I'd like it to perform action A.  If the group in question is Y, then I want to perform action B.  And if the group is Y AND a wildcard string match is "Johnny B. Good" then I'd like to perform action C.  When I try to set this up using one package and separate filters, none of the actions fire.  If I set them up as separate packages each containing one filter, none of them fire again.  If I combine them all into ONE package and ONE filter, the assigned action will fire, but obviously won't perform different actions since there is only one package and one filter.

1 Answer

+1 vote
answered May 4 by Sally (740 points)
Have you already pushed the settings and restarted the agent service after first creating action A/B/C or after most recently modifying the settings for those actions?  When creating/modifying/deleting an action, the changes don't take effect until the agent receives the new settings and the agent service restarts, after that as long as your filters are configured correctly they should start working with any new/modified actions.

If this is something you've been testing on the EventSentry server, you can just click Home > Services and click the top Restart button and that will restart the agent service.  If this is something you've been testing on a remote agent, you can click Groups > Push Configuration > Go, and then click Groups > Other Actions > Restart > Go, this will update the settings and restart the agent service for all of your remote agents.

If that doesn't fix it, it could be that the filters or packages aren't quite correct.  You can use the filter rule test utility to see why an event matches or does not match the filters: https://www.eventsentry.com/documentation/help/html/?console_testingfilterrules.htm  the easiest way to launch it is via right-clicking an event in the console, which you can see in the menu screenshot here: https://www.eventsentry.com/support/tutorial/topic/include-exclude-filters/step/3
commented May 4 by farmer mike (140 points)
Yes, the new configuration was pushed to agents.  Each filter works by itself, but as soon as the second filter is added (or enabled) they both quit.
commented May 4 by Sally (740 points)
Did you restart the agent service?  Even if you hadn't created or modified any actions, sometimes the agent is unable to load the new settings (this is logged as event ID 1034 in the Application log of Windows Event Viewer) and restarting the agent service or pushing the config again will fix it.

How about the filter test results, did your filters show up in the match list?  If not, and you repeat the test with the Verbose checkbox turned on, what does it say in the Reason column for your filter?  If the issue is that the events are on a different machine you can still run the filter tester on them by right-clicking "Event Log Viewer (local)" in the left side of the console and then browsing into the EventSentry groups and selecting the machine that has the events you want to test.  Then a new item called "Event Log Viewer (SERVER1)" will appear in the left side of the console if, for example, you selected SERVER1 in the right-click menu.  Then you can select the security log from SERVER1 and find an applicable 4728 event to right-click and run through the filter tester.
Welcome to EventSentry Q&A, where you can ask questions and receive answers from other members of the community.
...