I have a rule in SCOM which generates alerts for account lockouts in our AD domain. I would like to include additional information when there is a lockout generated from an IIS server.
By default the rule will report the "caller machine" as the IIS server name. I would like SCOM to also include data for the event from the IIS logs. Namely, the client's IP address and client OS. I figure I can match the lockout event data and IIS log data by event time and username.
Can give me suggestions on how I might go about this?