2 Replies Latest reply on May 9, 2011 12:57 PM by dross333

    Help with monitoring an account being locked out.



      I have one service account that keeps getting locked out.  We do not believe this to be an attack, but more of some incorrect internal settings.  I want to monitor  for an account lockout on one service account only.  How can this be done?  I am in the area of IPMonitor where I can add event log monitor, but now sure of the exact settings to get this to correctly work.




        • Re: Help with monitoring an account being locked out.

          Hello David,

          A user lockout event log entry typically looks like this:

          Event ID: 539
          Type: Failure Audit
          Description: Logon Failure:
                       Reason: Account locked out
                       User Name: %1              Domain: %2
                       Logon Type: %3             Logon Process: %4
                       Authentication Package: %5 Workstation Name: %6

          Having that said, you would likely use someting like the following values within Event Log Monitor:

          • Event Area: Security
          • Event Type: Security Audit Failure
          • Event ID: 539
          • Scenario #1: Regex Pattern \i(.*account locked out.*bob.*)

          ***Assuming 'bob' is the account you wish to watch.

          That should be all.

          Chris Foley | Support Specialist
          SolarWinds | IT Management, Inspired By You
          Support:866.530.8040 || Fax:512.857.0125