3 Replies Latest reply on Mar 24, 2014 4:42 PM by curtisi

    Rule for failed logon


      I see a failed logon in LEM, but I can't get this Rule to work. I want it to send me an email when a logon fails. Do you see any problems with this rule:



        • Re: Rule for failed logon

          First, I notice the Activate Rules button is illuminated.  Have you saved the rule and clicked activate rules?


          Second, failed logins should always come in under the UserLogonFailure event.  Your "OR" statement is still fine (if maybe unnecessary) but I think it'll cause some issues with the e-mails you get.  The e-mail will be populated with fields from a UserLogon event, but if the triggering event is a UserLogonFailure, those fields go nowhere.


          2014-03-24 07_50_48-Clipboard.png

          You probably only need to trigger off UserLogonFailures, and if you don't care which users, you don't even need the sub-field.


          You might try something like this:


          2014-03-24 08_02_03-SolarWinds Log and Event Manager Console.png

          This would at least cut down on some e-mails when someone fat-fingers a password and then logs in successfully.  Or you might get really tricky and try this:

          2014-03-24 08_01_43-SolarWinds Log and Event Manager Console.png

          Which would trigger every time an Admin account failed (assuming you keep the Admin Accounts User Defined Group up-to-date) even if they log in successfully afterwards.

            • Re: Rule for failed logon

              Hello, thank you for your replies. I've updated the Correlations to the screenshot below. However, I tested it and am still not getting emails. I went to our email settings and had SolarWinds send me a test email to make sure I typed my email address correct, that worked. Any ideas why I don't get an email with this rule active and a failed login on the monitor?