Sentinel ver 7.1.1
MS Windows Collector: 2011.1r3 (ID 74424EA0-3EFE-1031-A09B-000C29C38B1D)
File Connector: 2011.1r1 (ESM Live show ID
"92E87580-3F00-1031-81D8-00A0C6247610")
Event Source: a Text File(connector dump of a Windows 2008 R2 event
source). (ESM Live show ID "92E87580-3F00-1031-81E7-00A0C6247610")

1 - you can not search events based on the File Event Source ID that
appeares in sentinel webui, by selecting the File Event Soure from
'Sentinel WebUI > Collection > Event Sources".
2 - in sentinel webui, you can not search events based on the File Event
Source ID that ESM Live View shows.
3 - in sentinel webui, you can not search events based on the File
Connector ID that ESM Live View shows.
i.e sentinel shows no events when I search for:
rv23:92E87580-3F00-1031-81D8-00A0C6247610
rv24:92E87580-3F00-1031-81E7-00A0C6247610

But it works when I search for events via Collector ID, i,e searching
rv22:74424EA0-3EFE-1031-A09B-000C29C38B1D gives the proper result, and
when I click on ALL on any event on webui, I came to know that File
Connector and EventSource IDes are different, and when I searched for
the event based on IDes shown by webui(ALL), I got the proper results,
i.e search gots the event properly.

So it seems that IDes of File Connector and Event Source are different
then ESM Live Shows.

I got the following response from Support on this issue:>
> Please note that after checking with engineering this is working as
> designed. So it is not considered a bug. Basically you will need to
> change the search criteria in order to obtain the correct data output of
> the search.



--
sharfuddin
------------------------------------------------------------------------
sharfuddin's Profile: https://forums.netiq.com/member.php?userid=1016
View this thread: https://forums.netiq.com/showthread.php?t=49377