Attempting to create a simple alert for specific Application Event Log ID

I feel like this should be easier, but all I'm trying to do is create an alert on Event ID 502 from the Application log. 

I've added Application Logs as a Data Source on this collection of workstations, even confirmed by manually browsing Repository Viewer that the 502 event ID has been logged and ingested by Intrust, however my alert fails to alert on it. 


I made a copy of the Unexpected reboot alert, changed the data source to Windows Application Log and modified the XML as follows; Is there a reason this isn't working? Do I need to specify the application log somewhere in the XML code?

Thanks for any help. 


<?xml version="1.0"?>
<rule type="REL" version="1.0">

in_range(EventID, "502");


EventID = 502
and striequ(Source, "eventlog");


  • Ok I figured it out, I needed to update (Source, "eventlog"); with the source of that particular Event ID which was (Source, "Microsoft-Windows-Folder Redirection");

    Now trying to figure how to have the User Account also added to the alert
  • Hi duran,

    Copying from another rule is worthy in case the rule is complex, and vice versa. So, in your case I recommend to create the rule from scratch, in some rule group click "New Rule", choose "Single event" -> "Windows Application Log" -> "Custom Filter for Application Log" -> "Event ID" -> "Edit", set "From 502 to 502" and give the name to this rule, that's it.