I have an Event Log test looking for the following properties:
"BAD" event can be from : Any computer
Event type : Any
Event ID : 539
Description contains : All strings from list "Logon Failure" and "locked out".
The notification settings include sending the following variables : %datetime%
%testname%, %NTEventID%, %NTEventSource%, %NTEventUser% and %reply%.
I will get some notices that do not have "Logon failure" and "locked out" in the reply - it just has "reply: 0ms".
Also when this happens the status of this test shows "Unknown" even though I have "treat Unknown status as Bad" selected.
I am using HM version 3.69 on a Win2KSP3 machine.
Event log test properties - not all conditions followed?
>I will get some notices that do not have "Logon failure" and "locked out" in the reply - it just has "reply: 0ms".
%Reply% macro variable represents value of the "Reply" field. If you want to see event description, use %NTEventText% macro instead.
Of course you can use "Show event description in Reply field" option (located on Miscellaneous page in the Options dialog), and probably you are using this option. But in action profiles better use %NTEventText% macro anyway.
>Also when this happens the status of this test shows "Unknown" even though I have "treat Unknown status as Bad" selected.
This option does not replace "Unknown" status to "Bad".. There is quote from the manual:
---------------------
Treat Unknown status as Bad
With this option enabled, if test results cannot be obtained, actions are triggered by HostMonitor the same way as if the test returned a "Bad" status.
---------------------
So, nothing wrong with this.
But another thing looks strange to me: as I understand sometimes test has "Unknown" status and non-empty Reply field? Its possible only in case HostMonitor successfully opened Event Log but for some reason cannot read record(s).
Do you check local or remote system? If you check remote system, is it located in the same domain? Do you use dial-up connection? Is this happens often? Probably we can create some testing program to see whats happening.
Regards
Alex
%Reply% macro variable represents value of the "Reply" field. If you want to see event description, use %NTEventText% macro instead.
Of course you can use "Show event description in Reply field" option (located on Miscellaneous page in the Options dialog), and probably you are using this option. But in action profiles better use %NTEventText% macro anyway.
>Also when this happens the status of this test shows "Unknown" even though I have "treat Unknown status as Bad" selected.
This option does not replace "Unknown" status to "Bad".. There is quote from the manual:
---------------------
Treat Unknown status as Bad
With this option enabled, if test results cannot be obtained, actions are triggered by HostMonitor the same way as if the test returned a "Bad" status.
---------------------
So, nothing wrong with this.
But another thing looks strange to me: as I understand sometimes test has "Unknown" status and non-empty Reply field? Its possible only in case HostMonitor successfully opened Event Log but for some reason cannot read record(s).
Do you check local or remote system? If you check remote system, is it located in the same domain? Do you use dial-up connection? Is this happens often? Probably we can create some testing program to see whats happening.
Regards
Alex
But another thing looks strange to me: as I understand sometimes test has "Unknown" status and non-empty Reply field?
--Yes the reply field will show a time ("5ms for example).
-- It looks like substituing %NTEventText% for %%Reply% (yes I was using show description in reply) took care of the problem! I'll know for sure tomorrow and will post the result here either way.
Do you check local or remote system? If you check remote system, is it located in the same domain? Do you use dial-up connection?
-- this system is local, same domain, LAN.
Is this happens often?
-- It would happen probably 90% (heck maybe 100%, I didn't look that close) of the time a "proper" account lockout notice would come out.
As always, thanks Alex!
--Yes the reply field will show a time ("5ms for example).
-- It looks like substituing %NTEventText% for %%Reply% (yes I was using show description in reply) took care of the problem! I'll know for sure tomorrow and will post the result here either way.
Do you check local or remote system? If you check remote system, is it located in the same domain? Do you use dial-up connection?
-- this system is local, same domain, LAN.
Is this happens often?
-- It would happen probably 90% (heck maybe 100%, I didn't look that close) of the time a "proper" account lockout notice would come out.
As always, thanks Alex!