I was creating a new rule for Windows 2008 and needed to find the parameters for the event so that I could filter the rule.

I would normally use Log Parser to find the parameters that I need to filter on but a even quicker way with Windows 2008 is to look at the details tab and then the details under the EventData section these will be the parameters that you can configure for the alert.


Also one thing to check under the system section is the value that you should set as the source when creating the rule


As you can see in this example it is Microsoft-Windows-Security-Auditing but if you look at the general view the source is Microsoft Windows security so if you filter on Microsoft Windows security the rule will not work correctly.



Also have a read of http://blogs.technet.com/momteam/archive/2008/02/01/authoring-event-rules-in-opsmgr.aspx for more information on this.