Classification

Rule Name

Rule Type

Common Event

Classification

Catch All : WSUS MessagesBase RuleGeneral WSUSService InformationInformation
EVID 10000 : WSUS Is Working CorrectlySub RuleGeneral WSUSService InformationInformation
EVID 12030 : SSWS Is Working CorrectlySub RuleGeneral WSUSService InformationInformation
EVID 12032 : SSWS Is Not Working CorrectlySub RuleGeneral WSUSService ErrorError
EVID 13001 : Client Updates >10% Failure RateSub RuleGeneral WSUSService ErrorError
EVID 13032 : Client Computers Have Not Reported InSub RuleGeneral WSUSService ErrorError

Sample Logs

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Windows Server Update Services'/><EventID Qualifiers='0'>12032</EventID><Level>Error</Level><Task>Web Services</Task><Keywords>Classic</Keywords><TimeCreated SystemTime='2016-11-19T03:08:03.000000000Z'/><EventRecordID>76003</EventRecordID><Channel>Application</Channel><Computer>_destinationHostname</Computer><Security/></System><EventData><Data>The Server Synchronization Web Service is not working.</Data></EventData></Event>

Mapping with LogRhythm Schema  

Device Key in log message

Log Value

LogRhythm Schema

Data Type

Provider nameThe Server Synchronization Web Service is not working<vendorinfo>Text/String
Qualifiers12032<vmid>Number
levelError<severity>Text/String
Computer_destinationHostname<dname>Text/String