Audit Log Alerts

Verba provides the capability to configure alerts based on specific user actions in the web interface. The Audit Log Alerts feature can be found under the System \ Audit Log Alerts menu (under the Monitoring section).

In order to access this menu item, the user must have at least Read level access at the Audit Log Alerts permission. For further details, see User roles and User permissions.

Audit Log Alert Rules List

Once a user goes to the System \ Audit Log Alerts menu, it lands on the Audit Log Alert Rules list page. On this page, it's possible to filter the rules based on name or alert title, or order based on several properties.

The list of the rules can be also exported as XLS, RTF or PDF on the bottom of the page.

Adding a new Audit Log Alert Rule

A new Audit Log Alert Rule can be added by clicking on the Add New Audit Log Alert Rule link in the upper right corner ow the Audit Log Alert Rules List page.

The following table describes the properties of the Audit Log Alert Rules:

Property nameDescription
NameThe name of the Audit Log Event Rule.
Alert Severity

The alert will be created with the severity selected here. The severity also defines the Trap OID and Event ID (see the section below). The available severities are:

  • Fatal
  • Critical
  • Error
  • Warning
  • Notification
Alert Title

In the Windows Event Log, the alert data will contain a custom title provided here. This title will be picked up, and will be shown in SCOM as the title of the alert. Different properties of the Audit Log Events can be provided as variables:

  • ${EVENT}
  • ${USER}
  • ${TIME}
Alert Message

The alert will be created with the message provided here. Different properties of the Audit Log Events can be provided as variables:

  • ${EVENT}
  • ${USER}
  • ${TIME}
  • ${DETAILS}
Event RegexesThe alert will be triggered when the name of the Audit Log Event matches the regex provided here. Besides this, the alert will be triggered also based on the values provided in the Events list (below).
EventsThe alert will be triggered when one of the selected events happen. Events can be added with the >> icon, or removed from the list with the << icon. Besides this, the alert will be triggered also based on the regex provided in the Event Regexes (above).
UsersThe alert will be triggered only for the users provided here.
GroupsThe alert will be triggered only for the groups provided on the list. Groups can be added with the >> icon, or removed from the list with the << icon.
Event Detail Content Filters

The alert will be triggered only if the Audit Log Event details are matching to the filters provided here.

A new filter can be added with the icon. If multiple filters are provided, then there will be AND logic between them.

The Regex checkbox defines whether the provided values are regexes or not.

The filter will match if the details of the Audit Log Event contain the value provided in the Matches Any of These textbox. If multiple lines are provided, then there will be OR logic between the lines.

Once the Audit Log Event Rule is configured, it can be saved by clicking on the Save button.

Alerts generated based on the Audit Log Alert Rules

There are five types of alerts defined, based on the severity of the alert:

Alert NameSeverityTrap OIDEvent ID
Audit Log FatalFatal1.3.6.1.4.1.39067.118.9.118901
Audit Log CriticalCritical1.3.6.1.4.1.39067.118.9.218902
Audit Log ErrorError1.3.6.1.4.1.39067.118.9.318903
Audit Log WarningWarning1.3.6.1.4.1.39067.118.9.418904
Audit Log InfoInfo1.3.6.1.4.1.39067.118.9.518905