Passer au contenu principal

Moniteur du journal des événements

Mis à jour aujourd’hui

Introduction

Watch the Windows Event Log for specific event IDs and alert when they appear too frequently. The Event Log monitor fires when a matching event occurs a defined number of times within your chosen time window — useful for catching brute-force login attempts, application crashes, disk errors, and other patterns that only matter in volume.

ℹ️ REMARQUE : The Event Log monitor currently supports Windows only. macOS and Linux support is coming in a future update.

Moniteur du journal des événements

Level watches the Windows Event Log on covered devices for any of the event IDs you specify. When the matching events accumulate to your Occurrences count within the Durée window, an alert fires.

The combination of occurrences and duration is what makes this useful. Event ID 4625 (failed logon) appearing once isn't notable. Appearing 10 times in a minute is a brute-force attempt worth acting on immediately.

Configuring Moniteur du journal des événements

Open the target monitor policy, then add or edit an Event Log monitor. The Modifier monitor panel opens on the right.

Nom and Tapez

  1. Entrer a name in the Nom field. Include the event ID and what it represents — "Failed Login Attempts (4625)" is immediately readable in an alert list.

  2. Set Tapez to Event log.

Gravité

Set Gravité based on what the event IDs represent in context:

  • Information

  • Warning

  • Critical

  • Emergency

Event IDs

Entrer one or more Windows Event IDs to watch. Tapez an ID and press Tab or add a comma to add it as a tag, then continue entering more.

Event IDs

💡 CONSEIL : You can monitor multiple related event IDs in a single monitor. For example, group all failed authentication event IDs (4625, 4771, 4776) into one monitor rather than creating separate monitors for each.

Log Nom

Entrer the name of the Windows Event Log to watch. The field is case-insensitive. Common values:

  • Sécurité — security and logon events

  • System — OS-level events, hardware, drivers

  • Application — application-generated events

Log Nom

Source

Source is optional. Entrer a source name to narrow the monitor to events from a specific application or component within the log. Leave blank to match the event IDs across any source in that log.

Source

Levels

Sélectionnez one or more event log levels to match. Only events at the selected levels will count toward your occurrences threshold:

  • Information

  • Warning

  • Error

  • Critical

  • Verbose

Cliquez sur le dropdown to add levels. Cliquez sur × next to a level chip to remove it. Cliquez sur le × on the right of the field to clear all selections.

Levels

ℹ️ REMARQUE : Windows Event Log levels and Level alert severity are separate concepts. The Levels field filters which event log entries are counted; Gravité sets the priority of the alert Level creates.

Occurrences

Occurrences sets how many matching events must be detected within the duration window before an alert fires. Use the up/down arrows to set the value.

Occurrences

Durée

Durée sets the time window for counting occurrences. The unit dropdown lets you choose Minutes or Hours; the slider and up/down arrows set the value within that unit.

Durée

💡 CONSEIL : Match the duration window to the threat model. Failed logins are best monitored over a short window (e.g., 10 failures in 30 minutes) to catch active attacks. Application crashes might use a wider window (e.g., 5 crashes in 1 hour) to avoid alerting on isolated incidents.

Auto-Résoudre

Résolution automatique alert if it is no longer applicable is disabled by default for Moniteurs du journal des événements. Event-based alerts represent something that already happened — they don't have a "currently breached" state to clear automatically, so leaving auto-resolve off means alerts persist until a technician reviews and resolves them.

Auto Résoudre

Remediation

Attach one or more automations to run when this monitor fires — isolate a device, reset a user account, create a ticket, or page your team.

  1. Cliquez sur in the Remediation field and select an automation.

  2. To add more, click + Ajouter another remediation.

  3. To remove one, click the × next to it.

ℹ️ REMARQUE : Remediations run when the alert is created, not when it resolves.

Nontifications

  • Send notifications on alert creation — policy recipients get an email when the alert fires

  • Send notifications on alert resolution — policy recipients get an email when the alert resolves

Recipients are managed at the monitor policy level, in the Recipients section.

Nontifications

Saving the Moniteur

Cliquez sur Update monitor to save changes, or Ajouter monitor when adding a new one.

Questions fréquemment posées

  • Who can create and edit monitors? Technicians with access to the relevant monitor policy. Autorisation settings are managed in Workspace → Autorisations.

  • Where do I find event IDs for the events I want to monitor? Windows Event Afficherer is the fastest way — find an event you want to monitor, open its properties, and the Event ID is listed there. Microsoft's documentation and security references like the Windows Sécurité Log Encyclopedia are also useful for common security event IDs.

  • Can I monitor the same event ID with different occurrence thresholds? Oui — create separate monitors for each threshold. For example, one monitor for 3 failed logins in 1 hour (Warning) and another for 10 in 1 minute (Critical).

  • Does the Event Log monitor work on macOS or Linux? Non — Windows Event Log is a Windows-only feature. For log-based monitoring on macOS or Linux, use a Script Moniteur that reads system logs directly.

  • What happens to open Event Log alerts if I delete the monitor? Existing alerts remain in place. Deleting a monitor doesn't close alerts it already created — resolve those manually.

Articles connexes
Examiner les moniteurs
Getting Started with Moniteurs
Moniteur de processus
Moniteur de service
Appareil Moniteurs
Avez-vous trouvé la réponse à votre question ?