Can you be a little more precise on what events you need? The codes 4099 and 4098 could appear in multiple logs (System, Security, Application, etc) or from multiple applications and mean different things based on what is generating them and where they occur.
Assuming you mean these:
I'd suggest that you run a search like this for the 4099:
And like this for the 4098:
This is all predicated on your:
- Having the Agent running on machines where this event has occurred in the past
- Having the Connectors setup to capture those events (though these examples use Connectors the Windows Agent sets up by default)
- That you're searching a time-range where the event occurred
- That your connectors have their default Tool Aliases
Once you know what the events are normalized as, building a rule to look for those precise events and send an e-mail or other alert should be pretty simple.