When trying to setup the ntevl probe to check for event id's on server, the information provided in the UIM alert is different than the event ID on the system.

The system shows the event ID, while the alarm is sent to UIM with a different code.

This information is generally applicable to all versions of UIM and Windows.

Event ID's, particularly the security-related ones, are specific to the local PC.

This is stored as a code and that is what is sent to UIM.

This is expected behavior based on normal UIM / DX Infrastructure Management and Windows operation.

Here are some details as to how Event Viewer works:

In Event Viewer if you look at the XML of the event view you won't see the Domain\User.
It should show as the same SID we see in our application.
This is because Event Viewer resolves the SID itself to show the account name.
If the SID cannot be resolved, you will see the source data in the outcome.

Note a security identifier (SID) is a unique value of variable length used to identify a trustee (security principal).
Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database.

Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user.
The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security.
When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group.
The probe does not correlate with AD to get the user.