I made a monitor that send an email to me if someone other than me logs into a server.
Security logs
Event ID 4624
parameter 9 equals 10
parameter 6 not equal "my username"
For the alerting I used
$Data/Context/Params/Param[6]$ logged into
$Data/Context/Params/Param[12]$ from
$Data/Context/Params/Param[19]$
So it'll tell me who and when they logged into the server.
I can even kill term services with running a cmd line net stop termservice /y
What i would like is one that shows when someone logs into SQL with a service account.
Any suggestions?
