OK... Here's the scenario. We want to monitor the security logs for all success and failure events on a Test Virtual Machine that is not joined to the domain.
So far, I have:
- Added the device with the discovered monitors
- Set up mirrored service accounts on the IPMonitor Server (Server 2003 and ipMonitor Version: 10.0 build 1371) and the Test-VM server (server 2008), and enabled remote administration on the Test-VM server.
- Added three new monitors:
* "Security Event|Failure" Using the credentials of the mirrored service accounts on both servers. Filters: Event Area - Security, Even Type - Security Audit Failure. All other fields default
* "Security Event|Success" Using the credentials of the mirrored service accounts on both servers. Filters: Event Area - Security, Even Type - Security Audit Success. All other fields default
* "System Event|Error" Using the credentials of the mirrored service accounts on both servers. Filters: Event Area - System, Even Type - Error. All other fields default
- Added all monitors to Alerts (which have been pre-configured and work correctly for all other servers)
- Created new Content generator to display event log details:
* EVENT: %capture[1]%
EVENT ID: %capture[category]%
SERVER: %capture[computername]%
- Configured the three monitors to use this new content generator with default RegEx patterns on all.
All three monitors appear to be working. I can press the "preview" button and see all the details of the logs being monitored, but no alerts are issued.
Looking at te event log on the Test-VM I can see that the mirrored service account is logging in successfully. However, the main service account that we use for checking devices within the domain is ALSO attempting to log in to the Test-VM server (unsure if this is related, but I would think that as the monitor has been set to use the mirrored service account for authentication that the other service account should NOT be used).
To make a long story short we need to be able to get the alerts going, and to stop the other service account from logging in to the Test-VM.