The ATA Gateway monitors Syslog Event collection.
The ATA Gateway has stopped receiving syslog events.
Check the syslog server is still sending events to the ATA Gateway.
| Target | Microsoft.AdvancedThreatAnalytics.1_9.Center | ||
| Category | AvailabilityHealth | ||
| Enabled | True | ||
| Alert Generate | True | ||
| Alert Severity | Warning | ||
| Alert Priority | Normal | ||
| Remotable | True | ||
| Alert Message |
| ||
| Event Log | Microsoft ATA |
| ID | Module Type | TypeId | RunAs |
|---|---|---|---|
| Microsoft.Windows.EventCollector | DataSource | Microsoft.Windows.EventProvider | Default |
| System.Health.GenerateAlert | WriteAction | System.Health.GenerateAlert | Default |
Home
ENU <Rule ID="Microsoft.AdvancedThreatAnalytics.1_9.Center.GatewaySyslogEventListenerMonitoringAlert" Target="Microsoft.AdvancedThreatAnalytics.1_9.Center" Enabled="true" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>AvailabilityHealth</Category>
<DataSources>
<DataSource ID="Microsoft.Windows.EventCollector" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>Microsoft ATA</LogName>
<AllowProxying>false</AllowProxying>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">1021</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="System.Health.GenerateAlert" TypeID="Health!System.Health.GenerateAlert">
<Priority>1</Priority>
<Severity>1</Severity>
<AlertMessageId>$MPElement[Name="Microsoft.AdvancedThreatAnalytics.1_9.Center.GatewaySyslogEventListenerMonitoringAlert.AlertMessage"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/EventDescription$</AlertParameter1>
</AlertParameters>
</WriteAction>
</WriteActions>
</Rule>