Our SQL DBAs want to monitor for a specific event in the Windows Event log which tracks failed login attempts.
Windows Logs, Application
Source: MSSQLSERVER
Event ID: 18456
Task Category: Logon
Message Example: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. Reason: Could not find a login matching the name provided. [CLIENT: <IP ADDRESS>]
I've been able to set up the component monitor in SAM, but I would like some tips on configuring the ALERTS for this based on the following:
- They only want to be alerted when the event is logged in the Windows Event logs 5 or more times in a single minute.
- The alert does NOT trigger if the CLIENT IP address in the message is triggering from a specific IP.