Ir al contenido principal

Monitor del registro de eventos

Actualizado hoy

Introducción

Watch the Windows Event Log for specific event IDs and alert when they appear too frequently. The Event Log monitor fires when a matching event occurs a defined number of times within your chosen time window — useful for catching brute-force login attempts, application crashes, disk errors, and other patterns that only matter in volume.

ℹ️ NOTA: The Event Log monitor currently supports Windows only. macOS and Linux support is coming in a future update.

Monitor del registro de eventos

Level watches the Windows Event Log on covered devices for any of the event IDs you specify. When the matching events accumulate to your Occurrences count within the Duración window, an alert fires.

The combination of occurrences and duration is what makes this useful. Event ID 4625 (failed logon) appearing once isn't notable. Appearing 10 times in a minute is a brute-force attempt worth acting on immediately.

Configuring Monitor del registro de eventos

Open the target monitor policy, then add or edit an Event Log monitor. The Editar monitor panel opens on the right.

Nombre and Escriba

  1. Ingrese a name in the Nombre field. Include the event ID and what it represents — "Failed Login Attempts (4625)" is immediately readable in an alert list.

  2. Set Escriba to Event log.

Gravedad

Set Gravedad based on what the event IDs represent in context:

  • Information

  • Warning

  • Critical

  • Emergency

Event IDs

Ingrese one or more Windows Event IDs to watch. Escriba an ID and press Tab or add a comma to add it as a tag, then continue entering more.

Event IDs

💡 CONSEJO: You can monitor multiple related event IDs in a single monitor. For example, group all failed authentication event IDs (4625, 4771, 4776) into one monitor rather than creating separate monitors for each.

Log Nombre

Ingrese the name of the Windows Event Log to watch. The field is case-insensitive. Common values:

  • Seguridad — security and logon events

  • System — OS-level events, hardware, drivers

  • Application — application-generated events

Log Nombre

Source

Source is optional. Ingrese a source name to narrow the monitor to events from a specific application or component within the log. Leave blank to match the event IDs across any source in that log.

Source

Levels

Seleccione one or more event log levels to match. Only events at the selected levels will count toward your occurrences threshold:

  • Information

  • Warning

  • Error

  • Critical

  • Verbose

Haga clic en el dropdown to add levels. Haga clic en × next to a level chip to remove it. Haga clic en el × on the right of the field to clear all selections.

Levels

ℹ️ NOTA: Windows Event Log levels and Level alert severity are separate concepts. The Levels field filters which event log entries are counted; Gravedad sets the priority of the alert Level creates.

Occurrences

Occurrences sets how many matching events must be detected within the duration window before an alert fires. Use the up/down arrows to set the value.

Occurrences

Duración

Duración sets the time window for counting occurrences. The unit dropdown lets you choose Minutes or Hours; the slider and up/down arrows set the value within that unit.

Duración

💡 CONSEJO: Match the duration window to the threat model. Failed logins are best monitored over a short window (e.g., 10 failures in 30 minutes) to catch active attacks. Application crashes might use a wider window (e.g., 5 crashes in 1 hour) to avoid alerting on isolated incidents.

Auto-Resolverr

Resolución automática alert if it is no longer applicable is disabled by default for Monitores del registro de eventos. Event-based alerts represent something that already happened — they don't have a "currently breached" state to clear automatically, so leaving auto-resolve off means alerts persist until a technician reviews and resolves them.

Auto Resolverr

Remediation

Attach one or more automations to run when this monitor fires — isolate a device, reset a user account, create a ticket, or page your team.

  1. Haga clic en in the Remediation field and select an automation.

  2. To add more, click + Añadir another remediation.

  3. To remove one, click the × next to it.

ℹ️ NOTA: Remediations run when the alert is created, not when it resolves.

Notifications

  • Send notifications on alert creation — policy recipients get an email when the alert fires

  • Send notifications on alert resolution — policy recipients get an email when the alert resolves

Recipients are managed at the monitor policy level, in the Recipients section.

Notifications

Saving the Monitor

Haga clic en Update monitor to save changes, or Añadir monitor when adding a new one.

Preguntas frecuentes

  • Who can create and edit monitors? Technicians with access to the relevant monitor policy. Permiso settings are managed in Workspace → Permisos.

  • Where do I find event IDs for the events I want to monitor? Windows Event Verer is the fastest way — find an event you want to monitor, open its properties, and the Event ID is listed there. Microsoft's documentation and security references like the Windows Seguridad Log Encyclopedia are also useful for common security event IDs.

  • Can I monitor the same event ID with different occurrence thresholds? Sí — create separate monitors for each threshold. For example, one monitor for 3 failed logins in 1 hour (Warning) and another for 10 in 1 minute (Critical).

  • Does the Event Log monitor work on macOS or Linux? No — Windows Event Log is a Windows-only feature. For log-based monitoring on macOS or Linux, use a Script Monitor that reads system logs directly.

  • What happens to open Event Log alerts if I delete the monitor? Existing alerts remain in place. Deleting a monitor doesn't close alerts it already created — resolve those manually.

Artículos relacionados
Getting Started with Monitores
Monitor de conexión
Disk Usage Monitor
Monitor de procesos
Monitor de servicios
¿Ha quedado contestada tu pregunta?