LEM: Create notification of AD account lockout

aca5tle

How can I setup a notification alert when a user is locked out of Active Directory?

I am using SolarWinds Log & Event Manager 5.4

Thanks

Find more posts tagged with

5.4

lem

Accepted answers

phil3

Hi, aca5tle.

We have a NATO5 rule called "User Account Lockout (Updated)" that you can configure to send you an email anytime a user locks himself out. You can also use the same logic to create a filter or nDepth search:

UserDisable.EventInfo = *Account Lock*

If you're not too familiar with LEM, here are some additional details:

To enable a NATO5 rule, go to Build > Rules, click the NATO5 Rules folder, and then search for the rule using the search box. Clone is a gear-menu option, and it automatically opens the rule editor so you can select the recipients for the email.
In the logic noted above, "UserDisable" is the alert, "EventInfo" is the field, and "Account Lock" is the search value with asterisks as wildcard characters.
If you build a filter using that logic, you can send it to nDepth at any time to search for historical instances of that alert-value pair.

For additional information about these steps, see:

I hope this helps.

Phil

All comments

phil3

Hi, aca5tle.

UserDisable.EventInfo = *Account Lock*

If you're not too familiar with LEM, here are some additional details:

To enable a NATO5 rule, go to Build > Rules, click the NATO5 Rules folder, and then search for the rule using the search box. Clone is a gear-menu option, and it automatically opens the rule editor so you can select the recipients for the email.
In the logic noted above, "UserDisable" is the alert, "EventInfo" is the field, and "Account Lock" is the search value with asterisks as wildcard characters.
If you build a filter using that logic, you can send it to nDepth at any time to search for historical instances of that alert-value pair.

For additional information about these steps, see:

I hope this helps.

Phil

aca5tle

Thanks for the reply. I enabled the rule but I am not receiving email alerts. My user account is set to receive alerts... but I'm not receiving them.

Thanks

FormerMember

There's a few possibilities for this one - the rule might not be firing at all, or if the rule IS firing, you might be missing the email active response tool.

Check out this KB: SolarWinds Knowledge Base :: Troubleshooting LEM Rules and Email Responses for all the details on troubleshooting this problem. The bottom of that KB has additional references, including: SolarWinds Knowledge Base :: How to Configure the Email Active Response Connector which is the most commonly overlooked step in the process.

HTH!

aca5tle

It worked!

SolarWinds Knowledge Base :: How to Configure the Email Active Response Connector