I have created an alert in Log Insight that is supposed to detect when a Windows Event ID 4740 (account lockout) is recorded. The query has a filter set to eventid=4740. The alert is set to notify 'On any match'. When an account lockout happens (Event 4740) I can edit the query and confirm it has a log detected within the last 5 minutes. Yet, the Alert never shows a "Last Hit' and thus never generates a notification email. Any idea why?
For testing I have gernated many account lockouts over a 5-10 minute period and yet Log Insight never detects a hit in the "Last Hit" column. Any help would be great.
I am using LI 4.5