Monitoring SSL Certificates with Event Log Manager

Event Log Management
SSL
SSL Certificates
https://kb.netwrix.com/5044
Copy Article URL Copied

The following is a list of events that are related to SSL Certificates:

  • 1001 Certificate Replaced
  • 1002 Certificate Expired
  • 1003 Certificate Expiration Approaching
  • 1004 Certificate Deleted
  • 1005 Certificate Archived
  • 1006 Certificate Installed

In order to audit these events, a new filter must be created in Event Log Manager

NOTE: Please follow this guide for fundamental configurations of Event Log Manager. Failure to do so may result in a delay or absence of audit data.

Once the necessary fundamental configurations have been set, proceed with creating filters for SSL Certificate Auditing.


Note: If this is your first Event Log Manager plan, enter notification recipients and target servers before continuing.


When an SSL Certificate is added to a server, a new event log titled “Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational” is created. Enter this log into the “Event Log” text field and select to Write To “Both”

Next, click the “Event Fields” tab and enter the event ID’s you wish to audit. The provided example exhibits auditing of all SSL Certificate events.

Click “OK” until you are back to the Event Log Manager Homepage and then click “Save”.

You will now receive reports for SSL Certificate event data. If you wish to receive Alerts for this data, proceed with the following steps.
You will essential repeat the steps above, only doing it via the Alert Filter Configuration.

Click “OK” until you are back to the Event Log Manager Homepage and then click “Save”.

The configured Monitoring Plan will now yield Reports and Alerts for SSL Auditing.

Go Up