We have a NATO5 rule called "User Account Lockout (Updated)" that you can configure to send you an email anytime a user locks himself out. You can also use the same logic to create a filter or nDepth search:
UserDisable.EventInfo = *Account Lock*
If you're not too familiar with LEM, here are some additional details:
- To enable a NATO5 rule, go to Build > Rules, click the NATO5 Rules folder, and then search for the rule using the search box. Clone is a gear-menu option, and it automatically opens the rule editor so you can select the recipients for the email.
- In the logic noted above, "UserDisable" is the alert, "EventInfo" is the field, and "Account Lock" is the search value with asterisks as wildcard characters.
- If you build a filter using that logic, you can send it to nDepth at any time to search for historical instances of that alert-value pair.
For additional information about these steps, see:
- SolarWinds Knowledge Base :: Cloning, Enabling, and Activating NATO5 Rules
- SolarWinds Knowledge Base :: Creating Filters for Real-time Monitoring in Your LEM Console
- SolarWinds Knowledge Base :: Sending Filters to nDepth for Historical Search
I hope this helps.
Thanks for the reply. I enabled the rule but I am not receiving email alerts. My user account is set to receive alerts... but I'm not receiving them.
1 of 1 people found this helpful
There's a few possibilities for this one - the rule might not be firing at all, or if the rule IS firing, you might be missing the email active response tool.
Check out this KB: SolarWinds Knowledge Base :: Troubleshooting LEM Rules and Email Responses for all the details on troubleshooting this problem. The bottom of that KB has additional references, including: SolarWinds Knowledge Base :: How to Configure the Email Active Response Connector which is the most commonly overlooked step in the process.