How to confirm which field parameters to use when creating or editing rules (NETIQKB72374)

  • 7772374
  • 03-Jun-2010
  • 10-Feb-2011


Security Manager 6x

Development console


Whenever a rule is created in the development console, it is sometimes necessary to use advanced criteria. However it is not always obvious which parameter equates to which criteria for a particular event id.


To find a list of parameter mappings:

1. Go to development console

2. right click any processing rule group

3. click "import dynamic link library"

4. click file\browse\security\security\open

The resulting window will display a list of parameter mappings.  For example: event id 538 contains entry: "%tUserName:t%t%t%1%n  %tDomain:t%t%t%2%n    %tLogon ID:t%t%t%3%n  %tLogon Type:t%t%t%4%n" 

The subsequent number entry is the parameter for that criteria.  In this example Parameter 1 = UserName, Parameter 2 = Domain, Parameter 3 = Logon ID, and Parameter 4 = Logon Type.

Note: Some event id's will contain more parameter mappings than others and the event id list is not in numerical order.


Additional Information

Formerly known as NETIQKB72374