Login Failures and Attempts
Login Failures and Attempts
I have a "successful logins" alert set up correctly and it lets me know when people log in to a particular windows server, but when I create one for "login attempts/failures" and I purposely put in a wrong password on a server, it doesn't show up in my log. Just for the record, I was using remote desktop. The failure didn't show up in the server's local event log either, although successful logins do show up. The local event viewer has failure audit checkmarked. Any ideas why this isn't working?
-
KS-Soft Europe
- Posts: 2832
- Joined: Tue May 16, 2006 4:41 am
- Contact:
Correct.gerald wrote:I figured out what was wrong. I had to go into the server's local policy and enable failures. Success was already enabled.
Where do you want to see IP address or computer name? In Reply field? In Reply field you are able to see full description for the event. For the security Events description contains the information you need:gerald wrote:Now I just need to figure out how to see what IP or computer tried to log in. Currently, only the username that was used is logged...
Code: Select all
....
Workstation Name: Some_Server_name
Caller User Name: Some_Server_name$
Caller Domain: Some_Domain
.....There are several macro variables, those have sense for "NT Event Log" test only, they represent parameters of the last "Bad" event detected:
%NTEventSource% Event source. Identifies the software that logged the event
Code: Select all
%NTEventComp% Name of the computer where the event occurred
%NTEventTime% Time of the event
%NTEventType% Type of the event
%NTEventID% Event identifier
%NTEventText% Event description
%NTEventUser% Represents the user name if an event is attributed to a specific userRegards,
Max