I have been trying, with partial success, to generate an email alert when somebody adds a member to the local adminstrators groups on servers within our estate.
I have set up the Component Monitor to look for event ID 4732 in the Security logs and an alert to generate an email when that Monitor is in a Down state and it all works OK in terms of generating the alerts I want to see.
However, we also get alerts when servers go offline. I tried adding a third condition to the alert trigger:
Component - Component Name (Component Alerting Properties) - is equal to - Microsoft-Windows-Security-auditing-4732
Component - Status - is equal to - Down
Node - Status - is equal to - Up
But I still got an alert when a server was powered down this morning.
I'm struggling to see what else I can do. Any suggestions?
I think you could get away with removing the Component Status is equal to Down. If not you could try making the component monitor trigger condition must be true longer than that of the server down alert so that hopefully it doesn't trigger at all because the server down will come in first. My guess is the trigger conditions are triggering as soon as it is true so the component is coming down and alerting right before the server is seen as down.