I have a basic SAM Component monitor for a Windows Event. I'm monitoring for Windows Event ID 2100, or actually attempting to monitor for the lack of that specific event ID. Within the component configuration, it seems like this is possible but it doesn't seem to be doing what I need. Every time a user changes their password, event ID 2100 is logged. Event ID 2100 is logged frequently throughout the day. There are periods of a few hours where the event won't be being logged due to it being outside of business hours (nights, holidays, and weekends). So if event ID 2100 is not logged for over 12 hours, it would be safe for us to assume the password sync environment has an issue. Unfortunately this is one of the only ways our password change environment can be monitored. So to summarize, I want to know when Event ID 2100 DOES NOT show up in the logs for 12 hours or more.
To accomplish this, here's what I've tried:
Within the component configuration for Windows event log monitoring, I specify the event and other proper information. See screenshot. My template polling frequency is 300 seconds, which is 5 minutes. I've messed with the "Number of past polling intervals" and changed it to 144, which equals 12 hours based on my polling interval of 5 min. I've also changed the Statistics Threshold to "less than 1" because I want to know if event 2100 is not detected. From the component monitoring screen, Event ID 2100 is detected, so I know that works. However, it doesn't seem to change the status to down or critical when it is not detected. It seems to change it to red because 2100 IS detected even though my settings say to change status when it goes below a count of 1.
Is my logic correct here? Can this component be configured to tell me if event 2100 is not detected for 12 hours?
Is there a better way to accomplish this?
