This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 61%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Hello all,
We are trying to implement a rule based alerting system that notifies user logon's for "Local-Admin" users , targeting all the monitored servers.
To test the same , we have created a rule as follows with personal credentials ( server login credentials).
we are able to generate alerts upon user log on , but we are unable to see logged on user details in the alert as well as event viewer security logs for event ID 4624.
after logging into the server, several (50) new entries are being generated in the event log and the same is being reflected in SCOM console.
Please assist us to proceed further.
Sushanth S K
Hi all,
the event is the right one. The only thing that needs to be done is the paramter mapping. There are two links that can help you do that. Link Nr.1 is from Kevin Holman:
Authoring rules for Windows 2008 events, and how to cheat
https://kevinholman.com/2009/02/24/authoring-rules-for-windows-2008-events-and-how-to-cheat/
and link Nr.2 is from the Q&A forums here (in particular the answer of Crystal):
Server Logon Monitor in SCOM 2016
https://learn.microsoft.com/en-us/answers/questions/389856/server-logon-monitor-in-scom-2016.html
This one will surely help also:
SCOM monitoring for event ID 4624
https://social.technet.microsoft.com/Forums/en-US/8ade29fd-08df-4d92-8b9b-c02eec2902d9/scom-monitoring-for-event-id-4624?forum=operationsmanagerauthoring
I hope I was able to help.
----------
(If the reply was helpful please don't forget to upvote or accept as answer, thank you)
Regards,
Stoyan
Hi @SChalakov ,
Thanks for your input. We have been able to sucessfully generate alerts for this event ID upon specific user logon.
That particular user field you're pointing at is the user account generating the event. If you look in event viewer, a lot of events have N/A for the User value. If you want the user id that's logging on, it's probably event parameter 2 that you can get by using $Data/Context/Params/Param[2]$ (in the body of the alert)
if you want to filter for specific user IDs when they logon you can try the event parameter or EventDescription in the filter/criteria for the rule.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 39%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Hi Andrew ,
Is it possible to provide the screen shot with with an example.
Thanks
Ravi