"

How to create real-time alert on logon of a particular user

Last review: Jan 01, 2013
https://kb.netwrix.com/604
Copy Article URL Copied

How to create a real-time alert on the successful logon of a particular user?


To create the alert, do the following:

  1. In the left pane of NetWrix Enterprise Management Console , navigate to <your managed object> -> Event Log Manager and right-click the Real-time Alerts node.
  2. In the New Real-Time Alert wizard first screen, specify the alert name and click Next.
  3. On the next step, click Add in the Event filters grid. The Event Filters dialog will open.
  4. On the Event tab, select “Security” from the Event Log drop-down menu.
  5. On the Event Fields tab, specify the Event ID: 4624 for Windows Vista/7/2008, or 528 for Windows 2000/XP/2003.
  6. On the Insertion Strings tab, select the Consider the following event Insertion Strings and click the Add button.
  7. Add the following insertion strings:
  • For Windows Vista/7/2008 user logons:
Index: 6, Value: User name (example: Administrator)
Index: 7, Value: NetBIOS domain name (example: DOMAIN)
Index: 9, Value: 2 (for Interactive logins) or 10 (for Remote desktop logins)
  • For Windows XP/2000/2003 user logons:
Index: 1, Value: User name (example: Administrator)
Index: 2, Value: NetBIOS domain name (example: DOMAIN)
Index: 4, Value: 2 (for Interactive logins) or 10 (for Remote desktop logins)
  1. Click OK in the Event Filters dialog.
  2. If necessary, specify recipients of this alert other than the Event Summary recipients and click Next.
  3. Review your new alert settings and click Finish.
Go Up