Hi, I am trying to use the event monitor to alert us when a service account gets locked out of AD. All our service accounts start with 'sv', but I don't seem to be able to filter the alert criteria to match this. I am using the 'User Account: Account was locked out' component from the Domain Controller Security application. It works as advertised and I get alerts whenever someone gets locked out, but I only want to know about the 'svXXXXXXX' accounts.
The username can be found in the alert (using the ${WindowsEventMessages} variable) but I don't know how to use that same variable in my trigger condition. Is anyone doing something like this, and if so, how are you doing it?
Any other options would be welcome, as long as we stop getting blamed when a developer incorrectly enters a pw into a webapp I will be happy