I have enabled monitoring for successfuly logons on thye server. All is well except I need to be alerted only for 3 types of Logons 2,7 and 10. WHich is for Consol, RDP and Unlock screen. I dont need to know for other types of logons such as service restart.
Event log displays several spaces after Logon Type "Logon Type: 7" I created amonitor set and tried carios combinations for spaces but nothing seems to work. As soon as I remove Description filter and simply monitor for Event ID 528 it works but I get too many alerts that are not important.
Does anyone have any ideas on how I can moniotr only specific Logon Types?