Audit Log Alerts
Verba provides the capability to configure alerts based on specific user actions in the web interface. The Audit Log Alerts feature can be found under the System \ Audit Log Alerts menu (under the Monitoring section).
In order to access this menu item, the user must have at least Read level access at the Audit Log Alerts permission. For further details, see User roles and User permissions.
Audit Log Alert Rules List
Once a user goes to the System \ Audit Log Alerts menu, it lands on the Audit Log Alert Rules list page. On this page, it's possible to filter the rules based on name or alert title, or order based on several properties.
The list of the rules can be also exported as XLS, RTF or PDF on the bottom of the page.
Adding a new Audit Log Alert Rule
A new Audit Log Alert Rule can be added by clicking on the Add New Audit Log Alert Rule link in the upper right corner ow the Audit Log Alert Rules List page.
The following table describes the properties of the Audit Log Alert Rules:
| Property name | Description |
|---|---|
| Name | The name of the Audit Log Event Rule. |
| Alert Severity | The alert will be created with the severity selected here. The severity also defines the Trap OID and Event ID (see the section below). The available severities are:
|
| Alert Title | In the Windows Event Log, the alert data will contain a custom title provided here. This title will be picked up, and will be shown in SCOM as the title of the alert. Different properties of the Audit Log Events can be provided as variables:
|
| Alert Message | The alert will be created with the message provided here. Different properties of the Audit Log Events can be provided as variables:
|
| Event Regexes | The alert will be triggered when the name of the Audit Log Event matches the regex provided here. Besides this, the alert will be triggered also based on the values provided in the Events list (below). |
| Events | The alert will be triggered when one of the selected events happen. Events can be added with the >> icon, or removed from the list with the << icon. Besides this, the alert will be triggered also based on the regex provided in the Event Regexes (above). |
| Users | The alert will be triggered only for the users provided here. |
| Groups | The alert will be triggered only for the groups provided on the list. Groups can be added with the >> icon, or removed from the list with the << icon. |
| Event Detail Content Filters | The alert will be triggered only if the Audit Log Event details are matching to the filters provided here. A new filter can be added with the The Regex checkbox defines whether the provided values are regexes or not. The filter will match if the details of the Audit Log Event contain the value provided in the Matches Any of These textbox. If multiple lines are provided, then there will be OR logic between the lines. |
Once the Audit Log Event Rule is configured, it can be saved by clicking on the Save button.
Alerts generated based on the Audit Log Alert Rules
There are five types of alerts defined, based on the severity of the alert:
| Alert Name | Severity | Trap OID | Event ID |
|---|---|---|---|
| Audit Log Fatal | Fatal | 1.3.6.1.4.1.39067.118.9.1 | 18901 |
| Audit Log Critical | Critical | 1.3.6.1.4.1.39067.118.9.2 | 18902 |
| Audit Log Error | Error | 1.3.6.1.4.1.39067.118.9.3 | 18903 |
| Audit Log Warning | Warning | 1.3.6.1.4.1.39067.118.9.4 | 18904 |
| Audit Log Info | Info | 1.3.6.1.4.1.39067.118.9.5 | 18905 |