Classification

Rule Name

Rule Type

Common Event

Classification

MsiInstaller : Installer Close MessagesBase RuleGeneral INSTALLER MessageInformation
EVID 11308 : Installer Source File Not FoundSub RuleGeneral MsiInstaller ErrorError
EVID 11707 : Install Completed SuccessfullySub RuleSoftware InstalledConfiguration
EVID 11708 : Install FailureSub RuleAdd Object FailureAccess Failure
EVID 11724 : Uninstall CompleteSub RuleObject Deleted/RemovedAccess Success
EVID 11728 : Configuration CompletedSub RuleObject Attribute ModifiedAccess Success

Sample Logs

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='MsiInstaller'/><EventID Qualifiers='0'>11724</EventID><Level>Information</Level><Task>None</Task><Keywords>Classic</Keywords><TimeCreated SystemTime='2016-11-17T14:43:32.000000000Z'/><EventRecordID>38265</EventRecordID><Channel>Application</Channel><Computer>_destinationHostname</Computer><Security UserID='_domain\_originUser'/></System><EventData><Data>Product: LANDESK Advance Agent -- Removal completed successfully.</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data></Data><Binary>7B37453838333341312D414632342D344341452D383244462D4346453134433134423934447D</Binary></EventData></Event>

Mapping with LogRhythm Schema  

Device Key in Log Message

Log Value

LogRhythm Schema

Data Type

Provider nameMsiInstaller<vendorinfo>Text/String
Eventid11724<vmid>Number
LevelInformation<severity>Text/String
Computer_destinationHostname<dname>Text/String
userid_domain<domain>Text/String
N/A_originUser<login>Text/String
productLANDESK Advance Agent<process>Text/String
N/ARemoval completed successfully<subject>Text/String
N/AN/A<object>Text/String