cancel
Showing results for 
Search instead for 
Did you mean: 

Event Log Monitor Issues - User account locked out

I setup the User Account lockout template to monitor the event log and to send out an alert when an account gets locked out.  Below is the component monitor setup.  I am spinning my wheels here trying to figure out why it is not working. 

  • I checked GPO and the policy is enabled to write this to a the security log
  • The security logs flip every 30 mins or so
  • I have searched for 4740 and nothing comes up
  • We do have users that are currently locked out.

This should be easy but for some reason I can't get this. Maybe our logs are flipping too fast?  Thanks!

pastedImage_0.png

0 Kudos
14 Replies

Re: Event Log Monitor Issues - User account locked out

What does it say when you test it?

Re: Event Log Monitor Issues - User account locked out

Hello.

I'd start by leaving the log source and event inclusion empty, as well as setting the event type to any. Then assign this app template to the server that is hosting Active Directory.

Best regards,

Steffen

Re: Event Log Monitor Issues - User account locked out

When I test it says up.  We have had account lockouts and they are not registering in AD so not sure what I am missing. 

0 Kudos

Re: Event Log Monitor Issues - User account locked out

Thanks! I will give that a try.

0 Kudos

Re: Event Log Monitor Issues - User account locked out

I did what you suggested and still a no go.  We finally saw the event ID 4740 on a DC and it still did not pick it up in Solarwinds.  I am thinking I may create this monitor from scratch and see if it works. 

0 Kudos

Re: Event Log Monitor Issues - User account locked out

hmm perhaps you can turn on debugging and then look at the log and see if that sheds any light on why its not working as expected

0 Kudos

Re: Event Log Monitor Issues - User account locked out

A more lightweight solution would be the Log Analyzer module of Orion which can show you all of the Windows events: Windows System Event Log Monitoring Software and Log Collector | SolarWinds

0 Kudos

Re: Event Log Monitor Issues - User account locked out

Of course it is just easier to purchase the log analyzer and have it work. If we were not running Log Rhythm all over the place I could probably bring up log analyzer BUT... 

0 Kudos
jack.vaughan
Level 9

Re: Event Log Monitor Issues - User account locked out

Perhaps this is a better alternative? I use this in our environment currently. Doesn't depend on the logs being around long enough to react.

AD Locked Out Accounts