Hi All,
We have multiple AD domain controllers spread across the globe ~20+ hence, looking for Windows Security Event ID 4740 for locked out account is cumbersome and long.
How can I get the email alert from Solarwinds so I can get a meaningful email with the below in the body of the email:
'User' = Jo
'DomainController' = PRDDC18-VM
'EventId' = 4740
'LockedOutTimeStamp' = 03/07/2020 1:15PM
'Message' = Account Locked Out.
'LockedOutLocation' = Jo-SurfacePro
Thank you in advance.
I don't know if you can easily modify the event log structure without a lot of custom SWQL/SQL queries but you can embed the event log message itself into your email.
There are a few steps:
2. Once you have that assigned to your DC's, you will need to set up an alert. Create an alert for a "Component" and change the scope so it matches the component name (User Account: Account was locked out) or the name of the application monitor.
The trigger condition will be Component Status = Down (unless you change the monitor to go into Critical instead of Down).
3. In your trigger actions, you can use the variable: ${N=SwisEntity;M=ComponentAlert.WindowsEventMessages}
This will include the detected event log message in the email.
It's been a while since I did something like the above so I can't remember the results of every scenario (e.g. users getting locked out while the alert is active, etc).
They will all show up on the Component Details view in SolarWinds in the Event Log Message Details resource. e.g.
Create a new app monitor template then click add component monitor:
search for 'contains' 'event', specify quantity of the monitors you want (in this case only 1 but worth noting the multi-add for other templates), flag the box, apply and then follow Shuth's instructions above.
