Creating an Event Expression for too many failed logins RRS feed

  • Question

  • Hello,

    I would like to have SCE 2007 generate an alert when machine receives 10 failed logins within a certain period of time. I've been trying to figure out how to do it with an Event Expression but haven't found any resources to help me reference the time aspect of it. I know that a failed login is event ID 529. How do I get the rest into the expression?

    Thank you.
    Wednesday, July 15, 2009 12:46 AM


  • Hi, if you look at the different types of monitors, there is monitors to monitor repeted events. They will check for example a number of event ID 529 events within X minutes. You dont need to build it with expressions in a rule or a simple event monitor.
    Anders Bengtsson | Microsoft MVP - Operations Manager | http://www.contoso.se
    • Marked as answer by stuperman4 Wednesday, July 15, 2009 10:01 PM
    Wednesday, July 15, 2009 1:16 PM