This is not a question, but more of a “hey, I did something”, and it might be useful for other people.
I have Software Policy Restrictions (SRP) active on all my PC’s, via GPO. In short it whitelists applications that can run. It great for stopping users running little apps they download or bring in on a USB key.
I have another GPO that forwards the SRP events to a central server. They say something like “Bob just tried to run not_a_virus.exe and was blocked”
I have a custom event forwarder that sends to PRTG via syslog. Something like Solarwinds event forward will not work since its already a forwarded event I think, and it’s not in the correct format. The custom event forwarder reads the XML of the event, grabs some fields, builds a SYSLOG event, and sends it off. It runs every minute (Yes there is planned overlap, ie I check the last 5 minutes for exceptions and forward them, this handles reboots of the server, or PRTG)
Then in PRTG I have a syslog receiver (on the probe) this has an alarm limit of .05 (meaning if I get an event, then the notification will fire). Runs every minute too.
Lastly the notification is a Ticket that does not clear automatically when the sensor turns green. It has to be manually cleared.
You will get an email of the ticket, can check PRTG syslog sensor, go to the messages tab and see the event.
Some questions you might have:
- Why don’t I just use Splunk? Because it costs too much. What about Splunk free? It doesn’t have alarms.
- What about Greylog, its free and has alarms? Yeah, you can use that, I was, but it was another system that really only did one thing.
- I still use Splunk free for logging things like file audits (things that don’t need alerts). And it’s much better than Graylog for the things I use it for.
- Why cannot I just look at the logs once a week to see what’s happen? If a user is doing something suspicious or malicious (and its not delicious) then you want to know about it quick to take further action.
Anyway, I hope that adds another use for your PRTG install.