Technical Tip: How to configure Agent Template -> User Log

1. From the Windows Server - Get the path and file name of the file that will be monitored.
   Example: C:\Temp\Folder\setupact.log. Note the correct file extension and the prefix to use.

2. Create the configuration in SIEM - Windows Agent template configuration -> User Log.

3. Create an association and press the Apply button for the changes to take effect.

4. Run an Analytics Query with the following attributes:

Reporting IP        =        <Host_IP>

Raw Event Log    CONTAIN     AO-WUA-UserFile

Note: If the monitoring file doesn't create new log lines while monitoring, no events will show up in Analytic. To test, open the file, copy some lines that contain the prefix and paste them at the end of the file -> Save. Run the Analytic Query again.

5. If the path or file name is incorrectly entered in the template configuration, an event will be sent indicating:

   'The system cannot find the file specified.'

In version 7.4.0, multiple-line features have been added. 

If the log is divided into multiple lines, the start and end of the log can be indicated (Regular Expression supported), and the number of lines can be specified. See the User Guide -> Configuring Windowd Agent Guide link for more information:  Configuring Windows Agent.