Currently, generating alerts based on specific event IDs relies on SAMs to detect these events and pass it on to alert rule. For the most part it works as expected. Except when a critical event does not contain a message/description, instead inside GUI (Windows event viewer), you can see event data.
For example on AD server we often get event ID 5774 with following:
The description for Event ID 5774 from source NETLOGON cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
_kerberos._tcp.XXX-xxxxxx._sites.xxxxxx.com. 600 IN SRV 0 100 88 XXXXXX101.xxxxxx.com.
%%4294967295
192.168.xxx.xxx
5
4294967295
The locale specific resource for the desired message is not present
It would be useful to alert my AD team with this message which is part of EventData:
<EventData>
Instead, our alert has the following:
Log Name: System
Source: NETLOGON
Logged: 04/10/2019 09:51:56
Event ID: 5774
Level: Error
User:
Computer: XXXXXX101.xxxxxx.com
Adding another variable that would capture all the EventData could be helpful here.
Thanks.