Forwarding Windows events in SES Evolution

The forwarding of Windows events consists of indicating in a rule which logs and which Windows events SES Evolution must collect and display.

EXAMPLE
You can choose to forward events relating to user connections on workstations, to monitor who logged in and when.

Create an event forwarding rule:

  1. Select Policies and click on your policy.
  2. Select an audit rule set.
  3. Click on External events > Event forwarding.
  4. If you are in read-only mode, click on Edit in the upper banner.
  5. Click on Add a rule (Event forwarding).
    A new row appears.
  6. Click on + Monitored events and provide the following information:

     

     

     

    You can also import a custom Windows events view, which will automatically fill in all fields with the desired values. To do so, go to the Windows Event Viewer and export the desired custom view in XML, and import it by clicking on the arrow on the right .

     

    EXAMPLE

    Here, the event IDs 350 to 381 in the System log will be forwarded, except for ID 376.

  1. In the upper banner in the rule, you can:
    • Select the log settings that this rule will send. The severity of a log depends on its severity in Windows. Both severity levels are mapped as follows:
      Windows event typeSES Evolution log
      AuditInformation
      CriticalCritical
      ErrorError
      WarningWarning
      InformationInformation
      VerboseDiagnosis
    • Specify whether an action must be performed when a log is sent for this rule.
    • Enter a description to explain what this rule aims to achieve.
  2. Add other event forwarding rules if necessary.
  3. Click on Save at the top right of the window to save changes.

SES Evolution makes up for the Windows events that were generated when it was inactive, such as when the machine is restarting.