We have to monitor a logon timestamp or the user details, whoever logs into the server to be triggered via alert from SCOM- when someone logs into the server we would need to be the alert triggered.
Please help us here...
We have to monitor a logon timestamp or the user details, whoever logs into the server to be triggered via alert from SCOM- when someone logs into the server we would need to be the alert triggered.
Please help us here...
@ShivaRavichandran-6199,Hope everything is going well. I am writing to see if there's anything unclear with the information we provided . If yes, feel free to let us know.
Thanks and have a nice day!
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@ShivaRavichandran-6199,Agree with Roger, For our request, the main steps are as below:
1. Use GPO to open Auditing.
2. Create monitor or rule to monitor the windows event id. For successful logon, the event id 4624 will generate in security log. For failure logon, the event id 4625 will generate.
For the parameters in the two events, here are the links for the reference:
https://www.windows-security.org/windows-event-id/4624-an-account-was-successfully-logged-on
https://www.windows-security.org/windows-event-id/4625-an-account-failed-to-log-on
Note: Non-Microsoft link, just for the reference.
Hope it can help.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
I think you can try enabling auditing on user account and create a monitor or rule based on the related events. For details, please refer to:
Enable auditing:
Account Management
https://www.lepide.com/blog/audit-successful-logon-logoff-and-failed-logons-in-activedirectory/
Create an event monitor or rule:
How to Create a Simple Windows Event Unit Monitor
https://social.technet.microsoft.com/wiki/contents/articles/51547.scom-monitor-a-specific-windows-event.aspx
Windows Event ID 4624 – Successful logon
https://www.manageengine.com/products/active-directory-audit/kb/windows-security-log-event-id-4624.html#:~:text=Event%20ID%204624%20(viewed%20in,4625%20documents%20failed%20logon%20attempts.
Roger
5 people are following this question.