I feel like this should be easier, but all I'm trying to do is create an alert on Event ID 502 from the Application log.
I've added Application Logs as a Data Source on this collection of workstations, even confirmed by manually browsing Repository Viewer that the 502 event ID has been logged and ingested by Intrust, however my alert fails to alert on it.
I made a copy of the Unexpected reboot alert, changed the data source to Windows Application Log and modified the XML as follows; Is there a reason this isn't working? Do I need to specify the application log somewhere in the XML code?
Thanks for any help.
<?xml version="1.0"?><rule type="REL" version="1.0"> <arguments> </arguments> <prefilter>
EventID = 502 and striequ(Source, "eventlog");