KS-Soft. Network Management Solutions
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister    ProfileProfile    Log inLog in 

Login Failures and Attempts

 
Post new topic   Reply to topic    KS-Soft Forum Index -> Reports
View previous topic :: View next topic  
Author Message
gerald



Joined: 19 Oct 2006
Posts: 4

PostPosted: Fri Oct 20, 2006 7:46 am    Post subject: Login Failures and Attempts Reply with quote

I have a "successful logins" alert set up correctly and it lets me know when people log in to a particular windows server, but when I create one for "login attempts/failures" and I purposely put in a wrong password on a server, it doesn't show up in my log. Just for the record, I was using remote desktop. The failure didn't show up in the server's local event log either, although successful logins do show up. The local event viewer has failure audit checkmarked. Any ideas why this isn't working?
Back to top
View user's profile Send private message
gerald



Joined: 19 Oct 2006
Posts: 4

PostPosted: Fri Oct 20, 2006 8:07 am    Post subject: Reply with quote

I figured out what was wrong. I had to go into the server's local policy and enable failures. Success was already enabled.

Now I just need to figure out how to see what IP or computer tried to log in. Currently, only the username that was used is logged...
Back to top
View user's profile Send private message
KS-Soft Europe



Joined: 16 May 2006
Posts: 2832

PostPosted: Fri Oct 20, 2006 8:37 am    Post subject: Reply with quote

gerald wrote:
I figured out what was wrong. I had to go into the server's local policy and enable failures. Success was already enabled.
Correct.

gerald wrote:
Now I just need to figure out how to see what IP or computer tried to log in. Currently, only the username that was used is logged...
Where do you want to see IP address or computer name? In Reply field? In Reply field you are able to see full description for the event. For the security Events description contains the information you need:
Code:
....
Workstation Name:   Some_Server_name
Caller User Name:   Some_Server_name$
Caller Domain:   Some_Domain
.....

You may use %Reply% macro variable in your action profiles, e.g. to send such information to your email using Send Email action.

There are several macro variables, those have sense for "NT Event Log" test only, they represent parameters of the last "Bad" event detected:
%NTEventSource% Event source. Identifies the software that logged the event
Code:
%NTEventComp%    Name of the computer where the event occurred
%NTEventTime%    Time of the event
%NTEventType%    Type of the event
%NTEventID%    Event identifier
%NTEventText%    Event description
%NTEventUser%    Represents the user name if an event is attributed to a specific user


http://www.ks-soft.net/hostmon.eng/mframe.htm#actions.htm#macro

Regards,
Max
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    KS-Soft Forum Index -> Reports All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group

KS-Soft Forum Index