How to confirm which field parameters to use when creating or editing rules (NETIQKB72374)

  • 7772374
  • 03-Jun-2010
  • 10-Feb-2011

Environment

Security Manager 6x

Development console

Situation

Whenever a rule is created in the development console, it is sometimes necessary to use advanced criteria. However it is not always obvious which parameter equates to which criteria for a particular event id.

Resolution

To find a list of parameter mappings:

1. Go to development console

2. right click any processing rule group

3. click "import dynamic link library"

4. click file\browse\security\security\open

The resulting window will display a list of parameter mappings.  For example: event id 538 contains entry: "%tUserName:t%t%t%1%n  %tDomain:t%t%t%2%n    %tLogon ID:t%t%t%3%n  %tLogon Type:t%t%t%4%n" 

The subsequent number entry is the parameter for that criteria.  In this example Parameter 1 = UserName, Parameter 2 = Domain, Parameter 3 = Logon ID, and Parameter 4 = Logon Type.

Note: Some event id's will contain more parameter mappings than others and the event id list is not in numerical order.

 

Additional Information

Formerly known as NETIQKB72374

Feedback service temporarily unavailable. For content questions or problems, please contact Support.