Why am I receiving account lock out alerts?

For WMI and Perfmon authentication, if you provide the credentials to log in to a domain machine using a local user account (a computer account), you can receive account lockout alerts. The collector tries to authenticate first against the domain. When that authentication fails, it attempts to authenticate locally.

For example, if you provide Administrator as the account, you will receive domain alerts regarding Administrator failing to authenticate from the collector computer when attempting to log in to other computers via WMI.

To eliminate the initial domain authentication step, include the hostname in the wmi.user property. To do so, declare the wmi.user property using the hostname token: ##HOSTNAME##\administrator. When this is defined and the collector attempts to connect to the iisserver1.corp server as a local administrator, the property is declared as iisserver1.corp\administrator.