This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

LEM to monitor for Network Policy Server errors?

Currently, we use LEM heavily for identifying account lockouts/bad password attempts. I currently use this search in nDepth to find them: ( "Event Name" = UserLogonFailure ) AND ( DestinationAccount = <username> )

However, I'd ideally like to add the ability to show bad password attempts against our Network Policy Server. The above search find the 4625 error on the Net. Policy server but I need the 6273 error to retrieve the MAC Address of the device locking the users account out. Is this even possible to do with LEM? I have been going through both the rules and filter, and have not found a way to do this.

  • Figures, after I submit this question I figured out the answer myself.

    In nDepth I created this search:

    ( "Event Name" = UserAuthAudit ) AND ( ( "Event Name" = UserAuthAudit ) AND ( EventInfo = "*Network Policy Server*" ) )

    Bam, done.