• State Suggested Answer
  • Replies 15 replies
  • Answers 1 answer
  • Subscribers 36 subscribers
  • Views 2172 views
  • Users 0 members are here
Options
Related

AD user locked out alert using SAM

KOHLIfied

Hi Folks,

I am using SAM module and I wanted to get notified whenever a user account is locked out, with username and workstation info.

I have tried to achieve this by active directory templates, but is is giving loads of event message in single email. I want a one email with per user.

Can someone please help me with this requirement

Regards,

Akash

Parents
  • 0

    I can think of a lot of ways to do this, however if you want to use SAM try this. 

    Here is an example. This SAM Template is going to look for an event in the event log on our SQL servers for when it loses connection of it's twin replication server - event ID 1676.

    You can use any event you wish, this is the closest I have as an example.

    You will see at the bottom of the template I set it to go back 1.5 intervals and look for event ID 1676.

    Once you have your SAM template created. Make an alert to trigger for this. If the event ID 1676 is present in the last 1 1/2 polls then the SAM template wil go into a critical state. 

  • 0 in reply to bobmarley

    Hi    , 

    I tried the same method before posting to Thwack, but I received numerous events in a single alert email. My requirement is to receive an email with a single AD lockout event.

  • 0 in reply to KOHLIfied

    Ok, I'm kind of rusty on this method as I use another tool for this  could you please chime in as well? If you were to use SolarWinds Event Log Forwarder for Windows and forwarded that specific event to Log Analyzer and then set up a rule in Log Analyzer to great a ticket, email or whatever it should do one for each time the event triggers.  

  • 0 in reply to bobmarley

    The SolarWinds Platform Agent (same one used to monitor performance metrics) would be the preferred method instead of the SolarWinds Event Log Forwarder for Windows. The latter doesn't normalize the events and collapses everything into a single message, which makes creating rules challenging. The former should retain key aspects of the Windows Events as unique, filterable values, which is easier to work with inside the tool.

  • 0 in reply to chad.every

       On point. SolarWinds should consider this as a feature request. Since it is possible to monitor Windows Events using a SAM template, they should incorporate a feature to filter out unique keywords. This can then be integrated into alerts to send a single message per event, rather than sending a bunch of the same events occurring at the same time.

Reply Children
No Data

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 200,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification SolarWinds Lab Link Customer Portal
About THWACK Blogs Federal & Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2021 SolarWinds Worldwide, LLC. All Rights Reserved.