Authoring rules for Windows 2008 events, and how to cheat

<!--[if lt IE 9]>


Comments (7)
  1. Raphael Burri says:

    Hi Kevin

    Great post! But instead of counting the parameters, you could display the ‘XML View’ of a Windows 2008 event and then use the XPATH statements directly.

    So the TargetUserName would work out as (one line)




    Longer statements but I love that my rules are much more readable like that if I ever have to come back and chenge them.


  2. Gavin says:


    What are you using to pull the logs together.  I am trying to pull the log files form about 40 servers on a frequent basis to a certailised server.  I have heard that logpaser cannot access Windows 2008 64 bit server

    Any help is appreciated.  This needs to be an automated background type process

  3. Ervin says:

    Hi Gavin,

    I do this kind of stuff w/ logparser. I use a scheduled script that exports the event data to a file (.evt) and then I use logparser to upload the content of the exported file to a database directly.

    This works fine, even for Windows 2008 64 bit server.

    I have now issues with the operation of Task Scheduler (Windows 2008 64 bit server) itself. If I run the task, either manually or schedulet, my script is not launched at all (although the history log states that it does). When I run the script manually, everything is just fine.

    Very annoying…

  4. vSphereKiwi says:

    @Ervin. Have you fixed the issue with Task Scheduler not running on Windows 2008 64bit? I think its not working because of "Startin (optional)" info within "Edit Actions" is missing. I know it says it is optional, but it should say mandatory instead. If you provide the folder name where you are running the script from without the quotes, it will work.

    I hope this info helps.

  5. Aniruddha Kaslikar says:

    Hello Kevin,

    I am trying to set the Event Source as "Microsoft-Windows-Security-Auditing" along with the event id & event level however something is wrong with it as the server for which i set up the Audit Logon Failure rule is not alerting on the SCOM server..FYI , I cannot bypass the Event Source for the windows 2008 server as it is a mandatory field i need to include in the expression….

    Just wanted to know the exact event source for the Audit logon failure event ID 4625.. Your help would be highly appreciated…

  6. Follow up question says:

    Hello Kevin,

    I am asking a simple question I know….but please humor me. When I am configuring the rule (Search for rule-> open properties-> Configuration Tab-> Edit the Data source) and on the "expression" tab where I am able to insert the parameter name, Operator, and
    Value. I would like to know what Parameter Name and Operator to tie the "$Data/EventData/DataItem/EventData/Data[@Name=’TargetUserName’]$" Value to? Looking for changes to the "Domain Admins, Enterprise Admins, and Schema Admins groups" and want to see what
    I can tie event ID’s 4728 and 4729 to.

    I am seeing alerts in the console for all security groups and want to narrow it down to just the specific Admin groups and currently unsuccessful.

  7. Satyajit321 says:

    TYPO: 528 instead of 529 FAILURE Event

    The event in question – has changed from EventID 528 on Server 2000/2003 – to EventID 4625 on Server 2008:


Comments are closed.

Skip to main content