This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.

You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Alerting on 4740 Event IDs (lockouts) for subset of users

FormerMember over 10 years ago

Hi, I am trying to use the event monitor to alert us when a service account gets locked out of AD. All our service accounts start with 'sv', but I don't seem to be able to filter the alert criteria to match this. I am using the 'User Account: Account was locked out' component from the Domain Controller Security application. It works as advertised and I get alerts whenever someone gets locked out, but I only want to know about the 'svXXXXXXX' accounts.

The username can be found in the alert (using the ${WindowsEventMessages} variable) but I don't know how to use that same variable in my trigger condition. Is anyone doing something like this, and if so, how are you doing it?

Any other options would be welcome, as long as we stop getting blamed when a developer incorrectly enters a pw into a webapp I will be happy

Top Replies

0 aLTeReGo over 10 years ago

The Windows Event Log Monitor "Keywords" should allow for partial matching. Have you tried using just "sv" in that field and seeing if that limits the results to only the service accounts you're looking for? Another option would be to customize the "Locked out users" script to look for only service accounts that are locked out. I'm sure someone in the Script Lab would be able to assist you with that if you need assistance.

Another option depending how many service accounts you have would be to duplicate this component monitor for each service account, placing the full service account name within the keywords field.
Cancel
Vote Up +2 Vote Down

Cancel
0 FormerMember over 10 years ago in reply to aLTeReGo

aLTeReGo, thanks for the advice, I will try that. I have tried different combinations in the keywords/regular expression options and have been using quotes around strings, so I will give that one a shot. Eventually the right combination should work. I do have a powershell script that works (when run directly against a DC) but have not been able to make it work within SAM.
Cancel
Vote Up 0 Vote Down

Cancel

0 aLTeReGo over 10 years ago in reply to FormerMember

It's likely that the PowerShell script output is not formatted correctly for SAM. You may want to ask for assistance modifying your scripts output in the Script Lab

Scripts Must Report Status Through Exit Codes

Scripts must report their status by exiting with the appropriate exit code:

Exit Code	Meaning
0	Up
1	Down
2	Warning
3	Critical
Any other value	Unknown

For example, if you want to inform SolarWinds SAM that a VBScript reports Up status, you would exit the script using code similar to the following, where 0 reports Up:

Wscript.quit(0)

Scripts with Text Output

Scripts report additional details by sending text to the script’s standard output.

In APM 4.0.2 and earlier, each line of output contained a single detail in the following format:

DetailType:Value

# Script output comment

Message: The directory contains too many files.

Statistic: 5

While this is still true, SAM now supports multiple values returned by a script using the following format.

Statistic.Name1: x
Message.Name1: abc

Statistic.Name2: y
Message.Name2: abc

A numeric value used to determine how the monitor compares to its set thresholds. This must be an integer value, (negative numbers are supported).

Statistic.Name1: 123

Statistic.Name2: 456

Message

An error or information message to be displayed in the monitor status details. Note: Multi-line messages are supported. To use this functionality print each line using a separate command. For example:
Message.Name1: abc

Message.Name2: def

There is a limit of ten Statistic and Message pairs for the script. These can be placed anywhere in the script output. The Statistic and Message names you give must contain valid letters and/or numbers.

Sample output:

# Script comment: This shows two pairs. Ten pairs are possible.

Statistic.CPU: 31.08

Message.CPU: svchost.exe cpu usage

Statistic.RAM: 1234.56

Message.RAM: svchost.exe ram usage

0 FormerMember over 10 years ago in reply to aLTeReGo

Thanks, once we get caught up on other issues we will modify the script and give it a shot. Thanks again for all your help!
Cancel
Vote Up 0 Vote Down

Cancel
0 chack10 over 7 years ago in reply to aLTeReGo

Hey, I know this is an old post but i hope somebody can help me, I was wondering if there is a way to include the name of the Service account that gets locked into the alert that we create monitoring event 4740? Thanks!
Cancel
Vote Up 0 Vote Down

Cancel
0 FormerMember over 7 years ago in reply to chack10

cmarroquin. This is a pretty old post, yes!
Right now we are using the Windows Server Active Directory Security application and have the 4740 event ID as one of the params for the "User account: Account was locked out" component. In that component you can specify a keyword or regular expression to include, so maybe that will help. In our case it's a little easier as all of our service accts have a similar prefix.
Cancel
Vote Up +2 Vote Down

Cancel