14 Replies Latest reply: Mar 21, 2012 8:20 AM by smargh RSS

How to configure alerts for account lockouts

krfitzgerald

is there a way to configure an alert in NPM to email me when someone locks out their AD account?

  • Re: How to configure alerts for account lockouts
    bobross

    I think you'll have to use APM/SAM to do this.  There is an account lockout template available that should get you started.

     

    This thread has some information and links to the templates:

    How to Create a Monitor to Alert on a Locked AD Account (Windows Server 2008 R2)

  • Re: How to configure alerts for account lockouts
    DanielleH

    krfitzgerald--

    I think this is something that could be solved with SAM.  Please see How to Create a Monitor to Alert on a Locked AD Account (Windows Server 2008 R2).

    Hope this helps,
    DH

  • Re: How to configure alerts for account lockouts
    smargh

    You can do this with NPM and SNMP traps.

    Configure all domain controllers - which is where the lockout event is logged - with evntwin.exe to send Security event ID 644 as a trap. NOTE: Server 2008+ domain controllers may log a different event ID than Server 2003 - I haven't checked. You will also need to configure the SNMP service itself with the trap destination(s) and community name - it's a tab in the properties of the SNMP service.

    You can do remote updates in bulk to all DCs with the evntcmd.exe tool & .cnf files. The .cnf files are created with the evntwin.exe tool, and you can edit the .cnf file manually to add comments etc.

    Next, you need to create a new trap rule in Orion. See the attached image for how my rule is set up - note that I have Site_Name as a node custom property, and I exclude "administrator" from the criteria because it very often unavoidably locks in our particular environment.

    I don't know why more people don't use Windows' built-in trap sending ability rather than using the frequently-advertised awkward (to me, anyway) SolarWinds Event Log Forwarder method of sending via syslog. Trap email alerts are more configurable.

    • Re: How to configure alerts for account lockouts
      krfitzgerald

      Where do I find evntwin.exe? I've never heard of it.

      • Re: How to configure alerts for account lockouts
        smargh

        It's installed when the SNMP feature is added to Windows. So, it's located at start->Run.

        • Re: How to configure alerts for account lockouts
          krfitzgerald

          ok, I have it open, how do I add events to the evntwin.exe console?

          • Re: How to configure alerts for account lockouts
            krfitzgerald

            OK, I found it. do i need to configure this on all my domain controllers? Doesn't active directory log this in all the DCs log files?

            • Re: How to configure alerts for account lockouts
              krfitzgerald

              where do I create a trap rule at? Your screens look a little different from mine. I'm in the advanced alert manager.

              • Re: How to configure alerts for account lockouts
                smargh

                Trap Viewer -> View -> Alerts/Filter Rules

                Yes, domain controllers do AD replication, but they don't all log every single AD event to every Windows event log. An account lockout event is only logged on the DC which is receiving the bad authentication requests.

                • Re: How to configure alerts for account lockouts
                  krfitzgerald

                  OK, I'm really liking this solution. I still don't see how to create a trap rule. Is that in the advanced alert manager? When I click new in the custom advanced alert manager I don't see the options for a trap rule in the trigger condition tab. Where is that at? Thanks so much for this post. This is awesome.

                  • Re: How to configure alerts for account lockouts
                    smargh


                    OK, I'm really liking this solution. I still don't see how to create a trap rule. Is that in the advanced alert manager? When I click new in the custom advanced alert manager I don't see the options for a trap rule in the trigger condition tab. Where is that at? Thanks so much for this post. This is awesome.

                     



                     

                    No - Open up the "Trap Viewer" application, then View -> Alerts/Filter Rules.

                    • Re: How to configure alerts for account lockouts
                      krfitzgerald

                      where are the event logs selections in the MIB tree?

                      • Re: How to configure alerts for account lockouts
                        smargh

                        There isn't one - SolarWinds doesn't handle Windows traps as easily/efficiently as it could.

                        You can use things like eventVar1, eventVar2 etc in the Conditions tab, but in the Alert Actions section you can only refer to them as ${vbData1} etc. SolarWinds does desperately need to improve on the ability to configure trap events from built-in Windows events.

                        It's not unreasonable to think that the SolarWinds developers may not have actually been aware that often-forgotten evntwin.exe & evntcmd.exe have been in existence for a long time, so that's why they wrote their Event Log Forwarder :)

                        As for figuring out which number ${vbData[number]} variable to use, here's a handy template to help figure it out when testing. It would help *SIGNIFICANTLY* if the SolarWinds developers could simplify this by using the name "eventVar1" etc rather than relying on vbDataN :(

                        vb1: ${vbName1} ${vbData1}
                        vb2: ${vbName2} ${vbData2}
                        vb3: ${vbName3} ${vbData3}
                        vb4: ${vbName4} ${vbData4}
                        vb5: ${vbName5} ${vbData5}
                        vb6: ${vbName6} ${vbData6}
                        vb7: ${vbName7} ${vbData7}
                        vb8: ${vbName8} ${vbData8}
                        vb9: ${vbName9} ${vbData9}
                        vb10: ${vbName10}  ${vbData10}
                        vb11: ${vbName11}  ${vbData11}
                        vb12: ${vbName12}  ${vbData12}
                        vb13: ${vbName13}  ${vbData13}
                        vb14: ${vbName14}  ${vbData14}
                        vb15: ${vbName15}  ${vbData15}
                        vb16: ${vbName16}  ${vbData16}
                        vb17: ${vbName17}  ${vbData17}
                        vb18: ${vbName18}  ${vbData18}
                        vb19: ${vbName19}  ${vbData19}
                        vb20: ${vbName20}  ${vbData20}
                        vb21: ${vbName21}  ${vbData21}
                        vb22: ${vbName22}  ${vbData22}
                        vb23: ${vbName23}  ${vbData23}
                        vb24: ${vbName24}  ${vbData24}
                        vb25: ${vbName25}  ${vbData25}
                        vb26: ${vbName26}  ${vbData26}
                        vb27: ${vbName27}  ${vbData27}
                        vb28: ${vbName28}  ${vbData28}
                        vb29: ${vbName29}  ${vbData29}
                        vb30: ${vbName30}  ${vbData30}
                        vb31: ${vbName31}  ${vbData31}
                        vb32: ${vbName32}  ${vbData32}
                        vb33: ${vbName33}  ${vbData33}
                        vb34: ${vbName34}  ${vbData34}
                        vb35: ${vbName35}  ${vbData35}
                        vb36: ${vbName36}  ${vbData36}
                        vb37: ${vbName37}  ${vbData37}
                        vb38: ${vbName38}  ${vbData38}
                        vb39: ${vbName39}  ${vbData39}
                        vb40: ${vbName40}  ${vbData40}