|
View previous topic :: View next topic |
Author |
Message |
gerald
Joined: 19 Oct 2006 Posts: 4
|
Posted: Fri Oct 20, 2006 7:46 am Post subject: Login Failures and Attempts |
|
|
I have a "successful logins" alert set up correctly and it lets me know when people log in to a particular windows server, but when I create one for "login attempts/failures" and I purposely put in a wrong password on a server, it doesn't show up in my log. Just for the record, I was using remote desktop. The failure didn't show up in the server's local event log either, although successful logins do show up. The local event viewer has failure audit checkmarked. Any ideas why this isn't working? |
|
Back to top |
|
|
gerald
Joined: 19 Oct 2006 Posts: 4
|
Posted: Fri Oct 20, 2006 8:07 am Post subject: |
|
|
I figured out what was wrong. I had to go into the server's local policy and enable failures. Success was already enabled.
Now I just need to figure out how to see what IP or computer tried to log in. Currently, only the username that was used is logged... |
|
Back to top |
|
|
KS-Soft Europe
Joined: 16 May 2006 Posts: 2832
|
Posted: Fri Oct 20, 2006 8:37 am Post subject: |
|
|
gerald wrote: | I figured out what was wrong. I had to go into the server's local policy and enable failures. Success was already enabled. | Correct.
gerald wrote: | Now I just need to figure out how to see what IP or computer tried to log in. Currently, only the username that was used is logged... | Where do you want to see IP address or computer name? In Reply field? In Reply field you are able to see full description for the event. For the security Events description contains the information you need:
Code: | ....
Workstation Name: Some_Server_name
Caller User Name: Some_Server_name$
Caller Domain: Some_Domain
..... |
You may use %Reply% macro variable in your action profiles, e.g. to send such information to your email using Send Email action.
There are several macro variables, those have sense for "NT Event Log" test only, they represent parameters of the last "Bad" event detected:
%NTEventSource% Event source. Identifies the software that logged the event
Code: | %NTEventComp% Name of the computer where the event occurred
%NTEventTime% Time of the event
%NTEventType% Type of the event
%NTEventID% Event identifier
%NTEventText% Event description
%NTEventUser% Represents the user name if an event is attributed to a specific user |
http://www.ks-soft.net/hostmon.eng/mframe.htm#actions.htm#macro
Regards,
Max |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|