Rule to monitor Microsoft ATA 1.7 Center - EventID 1015 - Syslog Monitoring Alert
The ATA Center monitors connectivity to the syslog server.
The ATA Gateway has lost connection to the syslog server.
Check connectivity to the syslog server from the ATA Center.
| Target | Microsoft.AdvancedThreatAnalytics.1_7.Center | ||
| Category | ConfigurationHealth | ||
| Enabled | True | ||
| Alert Generate | True | ||
| Alert Severity | Warning | ||
| Alert Priority | Normal | ||
| Remotable | True | ||
| Alert Message |
|
| ID | Module Type | TypeId | RunAs |
|---|---|---|---|
| Microsoft.Windows.EventCollector | DataSource | Microsoft.Windows.EventCollector | Default |
| System.Health.GenerateAlert | WriteAction | System.Health.GenerateAlert | Default |
Home
<Rule ID="Microsoft.AdvancedThreatAnalytics.1_7.Center.SyslogMonitoringAlert" Target="Microsoft.AdvancedThreatAnalytics.1_7.Center" Enabled="true" ConfirmDelivery="false" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>ConfigurationHealth</Category>
<DataSources>
<DataSource ID="Microsoft.Windows.EventCollector" TypeID="Windows!Microsoft.Windows.EventCollector">
<ComputerName>.</ComputerName>
<LogName>Microsoft ATA</LogName>
<AllowProxying>false</AllowProxying>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">1015</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="System.Health.GenerateAlert" TypeID="Health!System.Health.GenerateAlert">
<Priority>1</Priority>
<Severity>1</Severity>
<AlertMessageId>$MPElement[Name="Microsoft.AdvancedThreatAnalytics.1_7.Center.SyslogMonitoringAlert.AlertMessage"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/EventDescription$</AlertParameter1>
</AlertParameters>
</WriteAction>
</WriteActions>
</Rule>