I was going to key on Event ID 540, the username, and configure the alert to hit if the authentication came from any IP other than the server hosting the log collection tool.
I have found that there are many log events (540) that have the Source Network Address blank. Can someone explain why this is??
Thanks!!!!!!
ROB