What I have tried with my SCOM Rule is
"Use parameter name not specified above" since Event Description is not a
default option. The custom parameter I use is $Data/EventDescription$ with
operator of "mathces wildcard" and the value "*Domain Admins*"
Any help is appreciated... TIA
KThomas
Try $Data/Context/Context/DataItem/EventDescription$ or $Data/Context/EventDescription$
instead.
Also, in Ops Mgr 2007, you have the ACS feature that can help you monitor
security within your organization.
-----
Regards
Anders Bengtsson
Microsoft MVP - MOM
http://www.contoso.se
K> The rule does work and alert if I just look for the Event IDs of 632
K> and 633
K>
K> "KThomas" wrote:
K>
I am aware of ACS and currently looking at what it takes to deploy it and in
our environment it could require a lot of resources from the data storage
(database) side but I not 100 % on everything that it takes at this point.
Thanks Again,
KThomas
here is a step by step guide for you, http://contoso.se/blog/?p=250
-----
Regards
Anders Bengtsson
Microsoft MVP - MOM
http://www.contoso.se
K> Thanks for the response... I will try them on Monday. One thing that
K> is interesting is when I use $Data/EventDescription$ for the Alert
K> Discription it works fine. I will let you know if the other two
K> options you suggested work.
K>
K> I am aware of ACS and currently looking at what it takes to deploy it
K> and in our environment it could require a lot of resources from the
K> data storage (database) side but I not 100 % on everything that it
K> takes at this point.
K>
K> Thanks Again,
K> KThomas
K> "Anders Bengtsson" wrote:
K>
I have been trying to find a list of values that could be used in the custom
parameters field but I never found one and assumed that I needed to use some
type of variable.
Thanks Again,
KThomas