Event trigger for Interactive Logons

Some of my customers want to know if there have been any logons outside normal hours. With my previous NinjaRMM I used to have all INTERACTIVE logon events emailed to me. I’m rethinking this a bit with Syncro. I wonder if there is a way to monitor the interactive logons and email them to the specific customer instead of me. That way I’m not inundated with logon events, nor do I need to spend mental bandwidth looking over them. Another thought is to monitor interactive logons outside normal 8am-6pm business hours and send those, instead. It might be nice to have it also log an entry into the Asset’s recent Activity log.

The Event ID is 4624 and the Logontype is 2 in the event. While I can see how to monitor a specific Event ID, Syncro would notify of all Logontypes, which would inundate with all logons. I want to filter it on Logontype 2 only. Thoughts? Ideas?

Thanks in advance.

The way it should work is set the ID to 4624 then in the message field do %Logon Type: 2%. One problem may be if the gap between : and 2 is counting spaces.

The XML view of the event log shows this following. I have to show it in a graphic, because the forum formatter removes most of the text and just shows a 2 if I actually paste the XML code.

So, does this mean there would be NO spaces and it would be “LogonType2” for the message field? Or does this somehow always automatically put a colon in and it would be “LogonType:2”?