Good morning.
I am currently constructing a number of reports showing information relating to our domain controllers.
E.g.
host=domaincontrollers* EventCode=>4944 OR EventCode<=4945 OR EventCode=4946 OR EventCode=4947 OR EventCode=4948 OR EventCode=4949 OR EventCode=4950 OR EventCode=4951 OR EventCode=4952 OR EventCode=4953 OR EventCode=4954 OR EventCode=4957 OR EventCode=4958
This report should list MPSSVC Rule-Level Policy Changes for the Windows Firewall on the domain controllers.
When there are ranges of event codes available (as above with EventCode 4944-4954) is there a better way to capture all events in a more efficient way?
Many thanks in advance for any help you can offer.
Kind regards,
Rob.
if it is always going to be those eventcodes, host=domaincontrollers* EventCode=>4944 EventCode<=4945
should be fine, you shouldn't have to list out all of the other codes.
Hi soniquella,
For me, the best way to manage situations like yours is to use a lookup table so you can change also in a second time the list of your eventcodes:
host=domaincontrollers* [ | inputlookup eventcodes.csv | fields EventCode ] | ...
In this way you have in your search all the EventCodes of your lookup with an OR condition.
Bye.
Giuseppe