How do I configure Event Log Manager real-time alerts for failed logon attempts?
Follow the instructions below:
- Launch Event Log Manager in Full-Featured mode (NetWrix Enterprise Management Console in the current version). Expand the Event Log Manager node for the related Managed Object. Right-click the Real-time Alerts node and select New Real-time Alert.
- In the wizard window, check the Enable this alert box, provide the name and description for this alert (for example Logon Attempts) in the appropriate fields. (For Event Log Manager 4.0, specify the value in Alerts per one email). Click Next.
- In the Event Filters, click Add to create a new filter. On the General tab, provide the name and description for the filter. In the Event Log drop-down list, select Security.
- On the Event Fields tab, check the Event ID box and enter 4625 (529 for Windows 2003 servers). Click OK.
- Repeat steps 3-4 for the following event IDs:
- if you have Windows 2003 servers: 529, 530, 531, 532, 533, 534, 535, 536, 537, 539
- if you have Windows 2008 servers: 4625
- Add IDs from both lists if you have both 2003 and 2008 servers in the computer collection.
NOTE: for Event Log Manager 4.0, you can specify several Event IDs separated by a comma in the Event ID field of the event filter.
- Click Ok.
- In Notifications, provide email-addresses of the real-time alert recipients. Click Next, review the details, and click Finish.