3 Replies Latest reply on May 23, 2016 5:18 PM by nicole pauls

    Need some help creating an alert


      So I had this email enabled alert created before (prior to one of my previous upgrades) and it was working great. However at some point during one of our LEM upgrades the alert appears to have stopped functioning and I'm not sure why. The alert was setup to kick off an email when any domain user account failed a logon attempt.  So say bob the domain admin mistypes his password 1 time, bam an alert would fire off..  Same for any other domain admin and any number of failed logons that occured. Now however i'm not getting the alerts anymore.

      Anyone have any recommendations or ideas?


      thanks in advance..

        • Re: Need some help creating an alert
          nicole pauls

          Are you getting other emails/alerts? Are you getting other emails/alerts from that source?


          Assuming the log data is still coming in, the most common reason is clock drift, but it could also be a slight format change in the fields you were keying off of (the connectors do get updated during an upgrade). 


          I'd recommend digging up one of the events in LEM and check your timestamps first (compare DetectionTime and InsertionTime to current actual time, and potentially the time on your appliance, which is easy to see if you check your internal events/filter), then compare it to your rule to see if we can spot where it's off.