Collect Security Events

Microsoft.SystemCenter.CollectSecurityEvent (Rule)

This rule collects events in the Security event log and sends them to the cloud

Element properties:

Target	Microsoft.Windows.Computer
Category	EventCollection
Enabled	False
Alert Generate	False
Remotable	True
Event Log	Security

Member Modules:

ID	Module Type	TypeId	RunAs
DS	DataSource	Microsoft.Windows.EventProvider	System.PrivilegedMonitoringAccount
HttpWA	WriteAction	Microsoft.SystemCenter.CollectHighVolumeDirectChannelCloudEvent	Default

Source Code:

<Rule ID="Microsoft.SystemCenter.CollectSecurityEvent" Target="Windows!Microsoft.Windows.Computer" Enabled="false" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">

  <Category>EventCollection</Category>

  <DataSources>

    <DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider" RunAs="System!System.PrivilegedMonitoringAccount">

      <!-- Collecting Security Events  for OMS -->

      <ComputerName>$Target/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

      <LogName>Security</LogName>

      <Expression/>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="HttpWA" TypeID="IPTypes!Microsoft.SystemCenter.CollectHighVolumeDirectChannelCloudEvent"/>

  </WriteActions>

</Rule>