KBI 220527 Security Event Log and Event ID 560
Version
Argent Data Consolidator 8.0A-0701
Date
13 Apr 2007
Summary
When consolidating Events with Event ID 560, specifically looking for text in the Accesses portion of the event, the rule will not send alerts and when reporting, no event will be found with the specified criteria.
An example is below:
Technical Background
When consolidating these types of events, the data from the Accesses portion of the event is stored in the database as a numerical value. Therefore, all alerts, filters and reports will not work on the given rule.
Resolution
Development has been made aware of this issue.