Hi guys, I'm trying to get a Repeated WMI Event monitor working in SCOM 2012 SP1 CU5. Essentially I'm trawling the real-time ACS collector WMI instance for a specific event ID (4771), for any user account and a specific alert type stored in String04 as identified by querying the ACS.
WMI Repeated Event Rule specifics:
Repeated WmiEventProvider Tab Namespace: root\default Query: SELECT * FROM AdtsEvent WHERE EventID=4771 Repeated Event Expression Tab ( String04 Contains 0x18 ) - also tried ( String04 Contains '0x18' ) Repeated Event Detection Tab: (alert only once for a single user account): Consolidation settings: $Data/EventData/DataItem/Property[@Name='TargetUser']$ $Data/EventData/DataItem/Property[@Name='TargetDomain']$ Counting Mode: Trigger on Count, Sliding 30 second interval Compare Count is set to 3 (will increase once testing is completed).
Unfortunately nothing is displayed in the console (manual refresh/close open etc) nor alerted .
I've tested the WMI query in a single WMI Event rule and it is correct - I get console alerts for the Event ID, but this will alert on the first failure, not after a set number - I can't see a way to use a rule to count and alert on multiple events. In case you're wondering, I'm hoping to use this for real-time brute force alerting.
If you can see/advise on what I am doing wrong... !
Thanks, Chris
MCTS 70-640 | MCTS 70-642 | Prince2 Practitioner| ITIL Foundation v3 | http://www.cb-net.co.uk