Hello

I am trying to put together a rule that will look for event id equals 666 Parameter 6 contains joeuser. The rule is looking at the security log on the Domain Controller. When the target agent gets the rule and the rule is triggered, I get an event id 11904

“The Microsoft Operations manager expression filter module failed to query the deliverable item, item was dropped expression: property 6.

I used log parser to find the correct parameter number and according to the output it looks to me like it should be parameter 6. Below is the output from logparser, and from what I can tell parameter 6 should be shofmann

CN=joeuser,OU=Enterprise Infrastructure,DC=corp,DC=kbb,DC=com|%{S-1-5-21-16

09914624-233329157-1947940980-4986}|.Enterprise Infrastructure DBA|KBB|%{S-1-5-2

1-1609914624-233329157-1947940980-5683}|shofmann|KBB|(0x1,0x7A1A069F)|-

==============
Missed an email? Check out the list archive:
http://myitforum.com/cs2/blogs/momlist/