VMware Cloud Community
HudsonInfoTech
Contributor
Contributor

Why aren't Alerts recognizing a 'Last Hit'

I have created an alert in Log Insight that is supposed to detect when a Windows Event ID 4740 (account lockout) is recorded. The query has a filter set to eventid=4740. The alert is set to notify 'On any match'. When an account lockout happens (Event 4740) I can edit the query and confirm it has a log detected within the last 5 minutes. Yet, the Alert never shows a "Last Hit' and thus never generates a notification email. Any idea why?

For testing I have gernated many account lockouts over a 5-10 minute period and yet Log Insight never detects a hit in the "Last Hit" column. Any help would be great.

I am using LI 4.5

Reply
0 Kudos
0 Replies