Hi - I am attempting to create a custom internal monitor that will alert us if the following Event ID does NOT occur within the past 24 hours:
Log Name: Microsoft-Windows-Backup
Date: 8/10/2018 12:19:19 AM
Event ID: 4
Task Category: None
The backup operation has finished successfully.
I have already configured Automate to pull in the crimson logs for Microsoft-Windows-Backup.
I have already configured Automate to blacklist the Event ID 4 listed above and verified that it is properly blacklisting (from viewing the database records), based off this post: https://www.labtechgeek.com/topic/3957-windows-server-backup-monitoring/?tab=comments#comment-23771
Here is my current internal monitor configuration:
Interval: Every 5 min
Monitor Mode and Duplicate Alert Frequency: Send Fail After Success
Table to Check: eventlogs
Field to Check: blacklistID
Check Condition: Equals
Result: 853 (this is the Database ID for the Event ID 4 blacklisted blacklistID)
Identity Field: Reverse.Query
Monitor Target: Service Plans.Windows Servers.Server Roles. Windows Servers Core Services.Domain Controllers (as I only want it running against my domain controllers)
NOTE: I have also manually excluded a handful of machines that are in the domain controllers group, but won't be running system state backups. These are excluded so they won't send false positive matches since they don't have system state backups.
I've set this up and it doesn't produce the results I was looking for - no matches currently, even though we had 2 servers with failed system state backups last night.
Is there a better way to accomplish this task?