4 Replies Latest reply on Aug 17, 2018 9:49 AM by kreases

Event Log Monitoring - Windows 2008

kreases Aug 16, 2018 3:07 AM

Our service desk get calls for locked out accounts, when they do they look at the SAM monitor that is set up to show the event id 644 in Windows 2003, this works great, they do a search on the list for the account number being effected and the message shows the account number and Server in question, they don't have to do anything else.

They used to have to check four Windows 2003 domain Servers for the lock outs however we have added a further four domain controllers which are running Windows 2008, in this case we check for event id 4740, this works fine but when the service desk come to look at the list and filter it down by the users account the message no long shows the account and server in the list they have to click on each of the event entries to see this which as you can imagine having to do that on multiple messages adds work/time to an already busy desk.

Now I realize this is down to the different format of the event log in Windows 2008 compared to Windows 2003 but in an effort to try and help the service desk I wondered if anyone had come across this before and had found a way to show the account and server name on the message list, thanks in advance.

Re: Event Log Monitoring - Windows 2008

neomatrix1217 Aug 16, 2018 10:44 PM (in response to kreases)

Have you thought about trying Orion Log Manager?

Log Manager for Orion - Manage Centralized Event Logs | SolarWinds
Like (0)

Actions
- Re: Event Log Monitoring - Windows 2008
  
  kreases Aug 17, 2018 6:12 AM (in response to neomatrix1217)
  
  Unfortunately this tool doesn't do what we require, I just want to see a list of all the EventID - 4740 but clearly showing the account that was locked out and the caller computer name without the need to click on each event log entry that appears in the 4740 filter
  
  Like (0)
  
  Actions
  - Re: Event Log Monitoring - Windows 2008
    
    neomatrix1217 Aug 17, 2018 8:32 AM (in response to kreases)
    
    Actually, you could tag it in Orion log manager as I am doing below using a message contains 4648 statement. In the filter, I can tag this or send me an email alert as you can use any of the Orion alert functions.
    
    Like (0)
    
    Actions
    - Re: Event Log Monitoring - Windows 2008
      
      kreases Aug 17, 2018 9:49 AM (in response to neomatrix1217)
      
      It is easy to view a list of filtered eventids, that isn't the issue, in Windows 2003 the list of filtered events showed the account number and the caller computer name however the filtered list in the Windows 2008 event log doesn't show them until you click on each individual filtered event and there in is the problem which our Service Desk is trying to avoid.
      
      Like (0)
      
      Actions

Go to original post