1 Reply Latest reply on Oct 2, 2014 5:31 AM by vinaya_k

    Need to monitor installation software activity on WMI datasource

    suopas

      Hi Everybody,

       

      I'm using ESM 9.4, I have some issue about windows event rule as below.

       

      I need to monitor and query event for software installation activity on windows server

      But ESM WMI datasource rule show only subject not show name of software on detail/custom type field.

       

      I try to custom Windows Event rule but rule cannot modify. I think ESM can edit only ASP rule.

       

      Please see detail.

       

      As Packet from Windows WMI are show Software Product and Version.

       

      2014-10-02_111805.png

       

      But on ESM not parsing Software Product and Version into ESM field .

      2014-10-02_112047.png

       

      2014-10-02_112055.png

       

       

       

      Thanks

      SD

        • 1. Re: Need to monitor installation software activity on WMI datasource
          vinaya_k

          Hi Suopas,

           

          McAfee by default parses all WMI security logs and it just collects application and system logs by parsing minimal information. We had a same situation when we had a log for document being printed but the name of the document was not parsing, Finally we raised a PER (Product Enhancement Request) with McAfee to sort out the issue.

           

          The reason you need to raise a PER is because WMI parsers are code based parsers unlike syslog where you can write your own RegEx to parse the events.

           

          Regards,

           

          Vinaya.