Open for Voting

FEATURE REQUEST - Event log details

Currently, generating alerts based on specific event IDs relies on SAMs to detect these events and pass it on to alert rule.   For the most part it works as expected.  Except when a critical event does not contain a message/description, instead inside GUI (Windows event viewer), you can see event data.

For example on AD server we often get event ID 5774 with following:

The description for Event ID 5774 from source NETLOGON cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

_kerberos._tcp.XXX-xxxxxx._sites.xxxxxx.com. 600 IN SRV 0 100 88 XXXXXX101.xxxxxx.com.

%%4294967295

192.168.xxx.xxx

5

4294967295

The locale specific resource for the desired message is not present

It would be useful to alert my AD team with this message which is part of EventData:

<EventData>

<Data>_kerberos._tcp.XXX-xxxxxx._sites.xxxxxx.com. 600 IN SRV 0 100 88 XXXXXX101.xxxxxx.com.</Data>

<Data>%%4294967295</Data>

<Data>192.168.xxx.xxx</Data>

<Data>5</Data>

<Data>4294967295</Data>

<Binary>0500</Binary>

Instead, our alert has the following:

Log Name: System

Source: NETLOGON

Logged: 04/10/2019 09:51:56

Event ID: 5774

Level: Error

User:

Computer: XXXXXX101.xxxxxx.com

Adding another variable that would capture all the EventData could be helpful here.

Thanks.