Hi
I have been trying, with partial success, to generate an email alert when somebody adds a member to the local adminstrators groups on servers within our estate.
I have set up the Component Monitor to look for event ID 4732 in the Security logs and an alert to generate an email when that Monitor is in a Down state and it all works OK in terms of generating the alerts I want to see.
However, we also get alerts when servers go offline. I tried adding a third condition to the alert trigger:
Component - Component Name (Component Alerting Properties) - is equal to - Microsoft-Windows-Security-auditing-4732
And
Component - Status - is equal to - Down
And
Node - Status - is equal to - Up
But I still got an alert when a server was powered down this morning.
I'm struggling to see what else I can do. Any suggestions?
Thanks