Add Event ID and Text Filter to Event Log Monitor

Add Event ID and Text Filter to Event Log Monitor

How to Audit Windows Logons and Logon Failures

When a user logs into a Windows computer, or fails to logon, an event can be written to the Windows Event Log. This feature is built in to Windows.

The Event Log monitor in PA Server Monitor can tell you when one of these events occurs, thus alerting you to a server logon, or a failed server logon. And because the Event Log monitor has a configurable monitoring cycle (the Schedule button in the lower right corner), you can find out about the logon in nearly real time.

Create the Event Log monitor

Create an Event Log monitor on the server that you want to check. It's OK if there is already an existing Event Log monitor on the server -- you can have multiple monitors of any type on a server, or you can combine the steps below into your existing Event Log monitor.

Ensure the "Security" Event Log in the lower left corner is checked

In the large grid, go to the "Security" source (for Windows 2003 servers) or the "Microsoft Windows security auditing" source (for Windows 2008 or newer) and check the Audit Success and Audit Failure boxes. If both sources are available, check both (that way you'll be able to copy this monitor to other computers and it will work for both 2003 and 2008 servers).

In the source line(s) above, click the box in the first column labeled Filters. We're going to set a filter for the following Event IDs: