I want to capture EventCode=1100 , but I also want to know if EventCode=4608 is created in one minute after EventCode=1100, If EventCode is created by itself and is not followed by EventCode=4608, I want to know that. Here's the search syntax I have, but the results are not what I really want. I don't know if what I have captures the gist of what I'm trying to do.
[10:19]
index=wineventlog source="WinEventLog:Security" host=* ((EventCode=1100 body="The event logging service has shut down.") OR (EventCode=4608 ) )
| transaction EventCode maxspan=1m
| table _time, EventCode, host,body
| sort -_time
[10:20]
The results are something like this:
[10:20]
2017-10-16 01:03:29 4608 Windows is starting up.
2017-10-15 23:01:51 4608 Windows is starting up.
2017-10-15 23:01:21 1100 The event logging service has shut down.
2017-10-15 20:02:59 4608 Windows is starting up.
2017-10-15 01:15:31 4608 Windows is starting up.
↧