Windows events received by the WRM are converted to alert event reports and sent to the Operations Sentinel server. These event reports can trigger alert actions in the active alert policy. The ALERTID of these event reports is a combination of two components of the Windows event that originated the alert event report separated by a colon (:). These components are:
The source that reported the event to Windows, which then logged it.
The event ID or message number assigned to the event based on a coding system defined by Microsoft.
If the ALERTID matches the name of an action list in the active Operations Sentinel alert policy, the raise actions in the action list are initiated. See the Operations Sentinel Console Help for the following information:
Description of alert policies and action lists
Alert Detail Information for Alerts from Windows Event Log Messages
Example
The ALERTID value NETLOGON:3095 indicates that the NETLOGON service was started on a Windows system that is part of a workgroup rather than a domain. If the active alert policy contains an action list named NETLOGON:3095, then all raised actions in this list are executed when the WRM raises the alert.