We have configured ntevl probe in our environment for capturing the event ID (Example) 4732 and 4733 which gets generated when one or more user being added\deleted into\from the Admin group.
What is happening here is if Windows team is adding or deleting more than one user on the same time stamp, we are only recieving single alert however when i checked the status bar of the ntevl configuration pop up window, i can see the three logs. I have worked on SCOM also but never face such issue. Now we have migrated from SCOM to CA Tool but i don't know if there is any workaround except removing the suppression. Practically we can't remove the suppression from NAS just for capturing few event id's related alerts because this will flood our console and multiple tickets for single issue. So this is not possible.
Second, Ntevl probe is capturing the information from the details tab and not from the general tab. This is also causing problem because in details tab we don't see required information. We need three entries in the message description:
1) Who is adding\deleting user
2) User ID which has been added\deleted
3) Group name in which the ID has been added\deleted
Now, in details tab we don't have number 2 information in readable format and we don't know which user id has been added or deleted. This information is also important to capture otherwise not use to enable this kind of monitoring.
I don't know if someone has ever noticed or face this problem or not but I need some workaround in this as quick as possible and will appreciate if someone can help me in fixing this issue.
Thanks & Regards,