Can anyone, particularly from the SAM product team, help me understand a few questions about the AppInsight for Active Directory template?
- Why is the default configuration of this application template to monitor port 389 with no encryption? This should default to 636 or 3269 using SSL (TLS).
- Why is this polling domain controller event logs for event ID 4648 (a logon was attempted using explicit credentials), and why does the component have a critical threshold of 5?
Speaking for my environment at least, it is expected to see many of these logged, which means that Active Directory is always marked as critical in SAM. (My current metric on one domain controller alone is 700!) Microsoft has a great KB article that describes this event ID. (4648(S) A logon was attempted using explicit credentials). In short, it doesn't seem like a useful metric unless it targets specific recommendations that the KB article describes. - Again, can we please have the option to selectively disable components in AppInsight templates, or the option to duplicate and edit the dupe? (I do understand that for these AppInsights, allowing customers to edit them does probably make Solarwinds feel exposed to the "hey, why didn't this monitor what you told me it would monitor" line of questioning from deviant ops, but perhaps that could be somewhat mitigated with a disclaimer in conjunction with the dupe/edit option.)
Thoughts? Thanks!
Sam