AnsweredAssumed Answered

Lua: How to split alarm message and send the email 5 mins when there is same alert

Question asked by Jeth_OCBCWH on Mar 20, 2017
Latest reply on Mar 20, 2017 by KathyMaguire

Attached the snapshot FYI

Microsoft-Windows-Security-Auditing (4625 - Account Lockout): An account failed to log on.Subject:Security ID:S-1-5-18Account Name:UAT1Test$Account Domain:DomainLogon ID:0x3E7Logon Type:3Account For Which Logon Failed:Security ID:S-1-0-0Account Name:Account Domain:Development:Failure Reason:Account locked out.Status:0xC0000234Sub Status:0x0Process Information:Caller Process ID:0x1814Caller Process Name:\Device\HarddiskVolume6\SSH Tectia\SSH Tectia AUX\Support binaries\ssh-servant-g3.exeNetwork Information:Workstation Name:UAT1Test

 

I want to split the message above and set the

EventID 4625 = Var1; Account Name: UAT1Test = Var2; Account Domain:Development = Var3 and Workstation Name:UAT1Test = Var4

 

If the alarm message meet the require "Var1&Var2&Var3&Var4" , just send the email once. If the alarm still exists after 5mins and send the email again.

 

Any idea? Thanks for your help!

Outcomes