3 Replies Latest reply on Mar 14, 2018 6:41 AM by Raul Gonzalez

    Email Alert for Windows Event

    max348

      Hi

       

      I have created a windows event template for user account lockout. I want to send a email everytime a account gets locked out in any of my DC. I have used  the variable ${N=SwisEntity;M=ComponentAlert.WindowsEventMessages} which gives me full event message with header and subject as below

       

      --- Event 1 of 1:

       

      Log Name: Security

      Source: Microsoft-Windows-Security-Auditing

      Logged: 03/13/2018 12:49:41

      Event ID: 4740

      Level: Audit Success

      User:

      Computer: "computername"

       

      A user account was locked out.

       

      Subject:

      Security ID: S-9-9-21

      Account Name: computername$

      Account Domain: domain

      Logon ID:

       

      Account That Was Locked Out:

      Security ID: S-1-5-21-2064318842-617679460-328166375-47728

      Account Name: username

       

      Additional Information:

      Caller Computer Name: pcname

       

       

       

      i want to send only event subject part as an email alert as below

       

      A user account was locked out.

       

      Subject:

      Security ID: S-9-9-21

      Account Name: computername$

      Account Domain: domain

      Logon ID:

       

      Account That Was Locked Out:

      Security ID: S-1-5-21-2064318842-617679460-328166375-47728

      Account Name: username

       

      Additional Information:

      Caller Computer Name: pcname

       

      I have tried the below SWQL query to achieve this and it works.

       

      SELECT message

      FROM Orion.APM.WindowsEvent

      where eventcode = 4740

      order by timegeneratedutc desc

       

      But the problem is if the event gets triggered on 2 different DC's (say DC1 and DC2) at the same time then the query will pull only last updated entry and displays the message containing same computer name and account  for both DC's.

       

       

      Example : DC1 triggered first  and made a entry in database and immediately after few seconds DC2 triggered the event and made its entry in database. so when email is sent it will send 2 alerts with details of DC2 only since DC2 updated its entry last.

       

      A user account was locked out.

       

      Subject:

      Security ID: S-9-9-21

      Account Name: DC2$

      Account Domain: domain

      Logon ID:

       

      Account That Was Locked Out:

      Security ID: S-1-5-21-2064318842-617679460-328166375-47728

      Account Name: XXXX

       

      Additional Information:

      Caller Computer Name: pcname

       

      Can anyone help me how i can make it to send message for events respective to the DC where the event was generated. Any query or variable that i can  use to achieve this.