We purchased v1.78 of Host Monitor some time ago and have been very pleased with it. I have however recently run into an odd occurence while monitoring the event logs of our PDC and BDCs. We have been logging against several specific failed loggin events on all of our Domain Controllers(Account Locked Out, Logging into an account that has been disable, etc). Seems to work well when the event actually does happen, however we appear to be getting a lot of false alerts. We are monitoring solely against the Event IDs associate with these events. Any thoughts?
Thanks in advance for any light you can shed on this problem,
Does false alerts appear after real one? Probably system time is not syncronized (different time on HostMonitor's system and on system that you monitoring). If its possible, set the same time on both systems.
Actually No. We get a series of 5 or 6 Host Monitor Alerts and when we go to that server and search through the Event Logs we cant find even a single occurence of the Event ID.
Yes all of our DCs have the Time Service from the Resource Kit installed and synch to a single Time Server in our Main Data Center. Some of the DCs we monitor are in diferent Time Zones but we have received falsed alerts across the board(our Time Zone as well as others).
I have checked code and have one idea. Windows uses 32 bits for EventID identifier, but 16 bits reserved for different flags, and 16 bits system uses for real ID. HostMonitor performs check using 16 lower bits but allows you to specify ID greater than 16 bits. Probably you and HostMonitor try to find different ID?
What EventID do you monitor? Its greater than 65535 or not?