Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials

AppInsight for Active Directory Alert is not really helpful ?

People,

I have enabled the AppInsight for Active Directory to monitor my AD domain controllers health & its metrics.

However, it keeps on sending me thousands of alert that is not really helpful in the email body, these are all the example:

Component Logon: Attempted logon using explicit credentials of Application "Active Directory 2016 Domain Controller Security" on PRODDC01-VM is currently in a state of "Down".

Component Logon: Account failed to log on of Application "Active Directory 2016 Domain Controller Security" on PRODDC04-VM is currently in a state of "Down".

Component User Account: Account was locked out of Application "Active Directory 2016 Domain Controller Security" on PRODDC01-VM is currently in a state of "Down".

How can I get more useful and descriptive alert that is a minimum containing information like:

AD User account, Time it was detected, AD computer source / location, etc...

Thank you in advance.

Find more posts tagged with

Accepted answers

All comments

jm_sysadmin

@itengineerI know what you mean. When I looked I needed to deal with this setting as well today on one of my domains.

Its important that you tailor the out of box set up to meet your needs. AppInsight is a fast easy way to get a lot of data on the thing, in the case Active Directory monitored quickly. Some of it may not apply to you. Some of it might be set up for enviroments with different workloads (typically smaller environments).

1.) Disable the default alerts

2.) Decide what down means for you.
2A.) Maybe this means setting the thresholds using the use baseline, maybe you want to look at the graph and take the top value for the past week set that to critical.

2B.) I recommend starting with not alerting on critical or warning items until you know you need them. "Down" means not functional.

3.) Build the alert - Again you are likely alerting on the critical or warning, but then you think you want to see the details of the thousands of events. I suggest not emailing about that.

If you do want that detail, its in the details. You can script gathering the info, maybe put it in to an alert custom property, and include that int he email similar to how the top 10 process on CPU example alert works.

I think it might be better to write a report and email that out to a person who will look at it if you are concerned about these events. In my world, this event is not broken or critical. I want to see it, and history is important, but it doesn't require my to immediately stop what I am doing.

Hopefully that helps, and if you need help building a report or making an app alert that makes sense let me know.

itengineer

Hi, @jm_sysadmin thanks for the reply and the explanation on this thread.

Yes please, would you be able to share some example or tips on the Active Directory app alert that makes sense?