Hey guys, hope you're all doing great! I'm a complete newbie when it comes to LEM so please ELI5 (for those reddit readers..) hopefully someone knows the answers
So I have LEM installed and the default stuff set and going.. Email's are working for some domain events such as account creation in active directory etc.. Anyway, on to my question. I really would like to have an email notification fire when there is a failed administrator logon to a server. I've hunted round the product and can see that failed logons are being tracked as critical events within LEM. This (as far as I can tell) is from the rule 'Critical Account Logon Failures' - I've tried editing this rule and adding in an email action, but, well, it just doesn't work. No emails...
So I ask you, the wise and wonderful community of SolarWinds.. What am I doing wrong?
That rule, by default, is driven by a User Defined Group that contains "root" and "administrator." Have you added your own criteria to the rule to include your critical accounts?