In our environment we have an old application that writes every event to the application log with the same Event ID:0.
I have tried to get the developers to change it but no go there.
Additionally, they dump everything to description.. So, I need to write a realtime monitor that looks for a string in Insertion string 1 that contains
"Access Denied. This user is inactive."
or
"Access Denied. This user account does not exist."
and then alert when 3 of the events that contain those strings occur within a 10 minute time-frame.
Is this something you could teach me how to do or point me at the technical documentation that covers it?