OpsMgr 2007 SP1 – Creating a rule to monitor logon event
At times some people use service account to logon to machines and it has the potential to lockout the service account and therefore bring down the service which is not acceptable to the business and we would need to create a monitor or rule to monitor this behavior.
We can create a monitor or rule, the process is pretty much the same except the monitor will affect the availability of the business application and the rules do not. Another thing need to pay attention is how you reset the monitor once the state change occurred. So I prefer to use the rule instead:
Go to authoring console, expand Management Pack Objects, right click the rule and select create a new rule, in the next window, expand Alert Generating Rules, expand Event Based, select NT Event Log (Alert), make sure save it in a different Management Pack other than Default Management Pack, see below
Type a name for your new rule, set the Rule Category to Alert and set the Rule target to Windows Computer and uncheck Rule is enabled check box. We will do a override later to enable this rule for a targeted group. It is kind counter intuitive but that’s how this things works!
Choose Log name to “Security”
For the purpose of this blog, I am targeting a Windows 2008 domain and in windows 2008 domain the event ID for successfully logon event is 4624. If you are targeting Windows 2003 domain the event ID is different!
Delete the Event Source row and click Insert, choose the third option – Use parameter name not specified above and type EventDescription in the box and click OK.
In the next window, set the Operator to "Contains” and Type the target account in the Value column (xyz\yli here)
In the next screen, Type $Data\EventDescription$ in the alert Description Field.
Click on the Create button to create the rule.
Next do a overwrite to enable this rule for a pre-defined group which contains all the Windows 2008 domain controllers since all the logon event will be logged on the domain controllers.
That is all you need to create a monitor/rule to monitor account logon event. There are some other post outs there but the procedure above did worked for me!