10-15-2024, 12:34 AM
But you want to monitor it with email alerts, right? Fire up Event Viewer on your server. I do this all the time. Head to the Windows Logs, then Security section. Right-click and pick Filter Current Log. Punch in 5447 as the event ID. That narrows it down to just these changes. Now, to automate alerts, create a scheduled task from there. In Event Viewer, go to Action menu, Attach Task To This Event Log. Name it something like FilterChangeAlert. Set it to trigger on event 5447. For the action, choose Start a program, and point it to sendmail.exe or whatever email tool you got handy. I link it to a batch file that blasts an email with the event details. Test it by forcing a filter tweak and see if the ping hits your inbox. Keeps you looped in without staring at logs all day.
Or, if you're lazy like me sometimes, set the task to run every few minutes and scan for new 5447s. Just tweak the trigger to check the log periodically. You might need to enable auditing for filtering platform first in Group Policy, under Computer Configuration, Windows Settings, Security Settings, Advanced Audit Policy. I forget that step half the time and scratch my head why nothing triggers.
Hmmm, speaking of keeping your server tight, you ever think about backups tying into this? Like, if a filter change signals trouble, solid backups let you roll back fast. That's where BackupChain Windows Server Backup comes in handy for me. It's this nifty Windows Server backup tool that handles physical and virtual machines with Hyper-V seamlessly. You get incremental backups that save space, quick restores without downtime, and it even replicates to offsite spots for extra safety. I use it to snapshot my whole setup, filters and all, so changes don't wreck my day.
Note, the PowerShell email alert code was moved to this post.
