You are hereSupport / Ask The Community / Windows Event Log Alerts With Same Event ID and Different Sources
Windows Event Log Alerts With Same Event ID and Different Sources
When setting up an alert based on a Windows Event ID Code, is there a way to also specify the Event Source that the Windoows Event ID must come from? For example, Windows Event ID 1126 can have two possible sources--Active Directory and MSExchangeSRS. If I only want an alert for 1126/Active Directory, is there a a way to specify the Active Directory source in the Alert configuration?
However - we have submitted an enhancement request for this, and I'm working on a modification to make the source an available field for alerts. I'll post an update as soon as I either hear back from development, or I've got a modification.
It's been a while. Is this fixed in any recent version, or planned to be fixed?
Thanks
This hasn't made it in to the product yet, but there is a workaround:
- Register a WindowsEventLog collection set up as follows:
- Enter a unique name for the Instance (e.g. PriorityEvents)
- Enter the Event ID you want, and select Allow
- Enter the Source you want and select Allow
- Select the applicable severities for the Events
- Make sure the appropriate severities are listed in the TypeList field for WindowsEventLog in Monitoring >> Manage Rules >> WindowsEventLog
- Create an Action rule or Correlated Event for the WindowsEventLog that only looks at the Instance name you set up for the Source/Event ID combination (PriorityEvents in the example)
If you run into any problems with this, or have any questions, please send an update,
Thanks,
Susan
Hi,
we would very much appreciate this feature as well. Currently we are rewriting eventlog messages to give them a more unique event-ID based on the event source and severity.
