This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.

You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Email Alert for Windows Event

max348 over 6 years ago

I have created a windows event template for user account lockout. I want to send a email everytime a account gets locked out in any of my DC. I have used the variable ${N=SwisEntity;M=ComponentAlert.WindowsEventMessages} which gives me full event message with header and subject as below

--- Event 1 of 1:

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Logged: 03/13/2018 12:49:41

Event ID: 4740

Level: Audit Success

User:

Computer: "computername"

A user account was locked out.

Subject:

Security ID: S-9-9-21

Account Name: computername$

Account Domain: domain

Logon ID:

Account That Was Locked Out:

Security ID: S-1-5-21-2064318842-617679460-328166375-47728

Account Name: username

Additional Information:

Caller Computer Name: pcname

i want to send only event subject part as an email alert as below

A user account was locked out.

Subject:

Security ID: S-9-9-21

Account Name: computername$

Account Domain: domain

Logon ID:

Account That Was Locked Out:

Security ID: S-1-5-21-2064318842-617679460-328166375-47728

Account Name: username

Additional Information:

Caller Computer Name: pcname

I have tried the below SWQL query to achieve this and it works.

SELECT message

FROM Orion.APM.WindowsEvent

where eventcode = 4740

order by timegeneratedutc desc

But the problem is if the event gets triggered on 2 different DC's (say DC1 and DC2) at the same time then the query will pull only last updated entry and displays the message containing same computer name and account for both DC's.

Example : DC1 triggered first and made a entry in database and immediately after few seconds DC2 triggered the event and made its entry in database. so when email is sent it will send 2 alerts with details of DC2 only since DC2 updated its entry last.

A user account was locked out.

Subject:

Security ID: S-9-9-21

Account Name: DC2$

Account Domain: domain

Logon ID:

Account That Was Locked Out:

Security ID: S-1-5-21-2064318842-617679460-328166375-47728

Account Name: XXXX

Additional Information:

Caller Computer Name: pcname

Can anyone help me how i can make it to send message for events respective to the DC where the event was generated. Any query or variable that i can use to achieve this.

0 conguir over 6 years ago

Hi
you could select just the first result for a specific period of time, something like this:
SELECT top 1 message
FROM Orion.APM.WindowsEvent
where eventcode = 4740
and minutediff(timegeneratedutc, getutcdate())<5
order by timegeneratedutc desc
Raul Gonzalez
Prosperon - UK SolarWinds Partners
Installation | Consultancy | Training | Licenses
Cancel
Vote Up 0 Vote Down

Cancel
0 max348 over 6 years ago in reply to conguir

Hi Raul
Thank you for your reply. Unfortunately your query works the same way as mine. DC1 and DC2 generated event lockout at same time for same user and the query triggers one alerts for each DC with same Account name that is DC2$ for example.
Subject:
Security ID: S-9-9-21
Account Name: DC2$
Account Domain: domain
Logon ID:
Is there any other variable apart from ${N=SwisEntity;M=ComponentAlert.WindowsEventMessages} we can use to show only the subject part of the event rather than showing entire event message. Or can this be achieved only through query ??
Cancel
Vote Up 0 Vote Down

Cancel
0 conguir over 6 years ago in reply to max348

Hi
there is an option to use SWQL o SQL 'variables' on any trigger action of the alert.
Raul Gonzalez
Prosperon - UK SolarWinds Partners
Installation | Consultancy | Training | Licenses
Cancel
Vote Up 0 Vote Down

Cancel