Environment
Security Manager 6x
Development console
Situation
Whenever a rule is created in the development console, it is sometimes necessary to use advanced criteria. However it is not always obvious which parameter equates to which criteria for a particular event id.
Resolution
To find a list of parameter mappings:
1. Go to development console
2. right click any processing rule group
3. click "import dynamic link library"
4. click file\browse\security\security\open
The resulting window will display a list of parameter mappings. For example: event id 538 contains entry: "%tUserName:t%t%t%1%n %tDomain:t%t%t%2%n %tLogon ID:t%t%t%3%n %tLogon Type:t%t%t%4%n"
The subsequent number entry is the parameter for that criteria. In this example Parameter 1 = UserName, Parameter 2 = Domain, Parameter 3 = Logon ID, and Parameter 4 = Logon Type.
Note: Some event id's will contain more parameter mappings than others and the event id list is not in numerical order.
Additional Information
Formerly known as NETIQKB72374