How to configure real-time alert for specific events?
||Please perform the following steps to configure the real-time alert:
- Start NetWrix Management Console and navigate to the following node: Managed Objects / <Managed Object Name> / Event Log Manager / Real-time Alerts
- To start the New Alert wizard, right-click the Real-time Alerts node and select the New Real-time Alert option from the pop-up menu.
- On the first step of the wizard, specify the alert’s Name and Description and set the number of Alerts per one email. Grouped alerts for different computers will be delivered in separate email messages. This value is set to 1 by default, which means that each alert will be delivered as a separate email message. Click Next.
- On the Configure Real-time Alert Filters and Notifications window, create at least one event filter. Click the Add button to do that.
- In the Event tab, specify the filter’s Name and Description. Choose the appropriate event log in the Event Log dropdown list.
NOTE: Also you can type the specific log name the same way as it is specified in Event Viewer, for example: Microsoft-Windows-GroupPolicy/Operational
- For the next steps, you need the example of the event that you want to generate alert for. Navigate to the Event Fields tab and configure the filters of the event fields as you require. The mapping of event fields and event filters is shown at the screenshot below.
- The User field often does not contain the correct user name; for some events it can be found in the insertion strings also known as Event Data (see next step).
- In most cases, there is no need to specify all event fields in the Event Fields tab.
- You can use asterisk symbol to specify wildcards in the event fields (except Event ID and Event Level).
- In the Event ID field, you can specify event numbers separated via comma.
- The Insertion Strings tab allows you to filter the events by the additional strings of data also known as Event Data. To figure out the set of insertion strings and the values for a specific event, navigate to the Details tab of the event and expand the EventData node. Each string has Index and Value. The order is ascending and begins with index 1.
- The set of insertions strings is not constant and depends on the event type.
- In this particular example, the insertion strings are configured to filter only Interactive (Logon Type: 2) logons of the VD\Administrator account.
- Click OK to finish the Event Filter configuration. You can add the additional event filters in the filter list if needed.
- On the Configure Real-time Alert Filters and Notifications window, select Specify recipients and define the alert’s recipients email addresses or leave the Events Summary recipients option, the alert will be sending to Summary recipients list. Also you can click the Edit button and change the alert e-mail template if needed.
- Click Next, review the details and click Finish.