What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

Software Policy Restrictions – to PRTG

Votes:

0

This is not a question, but more of a “hey, I did something”, and it might be useful for other people.

I have Software Policy Restrictions (SRP) active on all my PC’s, via GPO. In short it whitelists applications that can run. It great for stopping users running little apps they download or bring in on a USB key.

I have another GPO that forwards the SRP events to a central server. They say something like “Bob just tried to run not_a_virus.exe and was blocked”

I have a custom event forwarder that sends to PRTG via syslog. Something like Solarwinds event forward will not work since its already a forwarded event I think, and it’s not in the correct format. The custom event forwarder reads the XML of the event, grabs some fields, builds a SYSLOG event, and sends it off. It runs every minute (Yes there is planned overlap, ie I check the last 5 minutes for exceptions and forward them, this handles reboots of the server, or PRTG)

Then in PRTG I have a syslog receiver (on the probe) this has an alarm limit of .05 (meaning if I get an event, then the notification will fire). Runs every minute too.

Lastly the notification is a Ticket that does not clear automatically when the sensor turns green. It has to be manually cleared.

You will get an email of the ticket, can check PRTG syslog sensor, go to the messages tab and see the event.

Some questions you might have:

  • Why don’t I just use Splunk? Because it costs too much. What about Splunk free? It doesn’t have alarms.
  • What about Greylog, its free and has alarms? Yeah, you can use that, I was, but it was another system that really only did one thing.
  • I still use Splunk free for logging things like file audits (things that don’t need alerts). And it’s much better than Graylog for the things I use it for.
  • Why cannot I just look at the logs once a week to see what’s happen? If a user is doing something suspicious or malicious (and its not delicious) then you want to know about it quick to take further action.

Anyway, I hope that adds another use for your PRTG install.

gpo srp tickets

Created on Mar 29, 2018 6:28:06 AM



1 Reply

Votes:

0

Hi Andrew,

Thanks you for sharing this solution with us. We appreciate that :)

Kind regards,
Birk Guttmann, Tech Support Team

Created on Mar 29, 2018 10:43:34 AM by Birk Guttmann [Paessler Support]




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.