Reporting a single user account lockout

Ipswitch Forums

Home

Members

Calendar

Who's On

Welcome Guest ( Login | Register )

Reporting a single user account lockout

Rate Topic

Display Mode

Topic Options

Author

Message

windows admin

Posted 12/22/2008 4:39:44 PM

Junior Member

Group: Forum Members
Last Login: 4/14/2009 9:53:31 AM
Posts: 15, Visits: 40

I am trying to figure out how to send a alert to group A when one account locked out and to group B when a different account locks out. I do have wug to send out alerts when any account locked out I just can't figure out how to do it for serten accounts. For example:

When the user account "john" gets locked out send a alert to help desk A and When user account "Jane" gets locked out send a alert to help deck B.

Thanks.

Jonathan

Sys Admin

Post #49734

Will Sansbury

Posted 12/22/2008 5:01:41 PM

Member of the WhatsUp Gold team

Group: Administrators
Last Login: 8/3/2009 11:21:39 AM
Posts: 519, Visits: 1,116

Hey Jonathan. Can you post what you've got already?

__________________________________________________
Will Sansbury
Member of the WhatsUp Gold team
Twitter: @willsansbury

If you need help with anything, let me know!

NOTE: These WhatsUp Gold forums are closing! We've launched a new and improved user community that includes forums, a place to share and vote on feature requests, and a place to share and download custom scripts. Check it out at http://community.whatsupgold.com!

Post #49737

windows admin

Posted 12/22/2008 5:42:53 PM

Junior Member

Group: Forum Members
Last Login: 4/14/2009 9:53:31 AM
Posts: 15, Visits: 40

This is the e-mail I have setup. But it is for all users and not for a certen account:

%Device.Address=192.168.1.1

%PassiveMonitor.DisplayName=Account Locked Out

%PassiveMonitor.Payload.ComputerName=DC01

%PassiveMonitor.Payload.User=NT AUTHORITY\SYSTEM

%PassiveMonitor.Payload.Logfile=Security

%PassiveMonitor.Payload.Type=Audit Success

%PassiveMonitor.Payload.EventType=4

%PassiveMonitor.Payload.SourceName=Security

%PassiveMonitor.Payload.Category=7

%PassiveMonitor.Payload.CategoryString=Account Management

%PassiveMonitor.Payload.EventCode=644

%PassiveMonitor.Payload.EventID=644

%PassiveMonitor.Payload.TimeGenerated=20081222134622.000000-360

%PassiveMonitor.Payload.TimeWritten=20081222134622.000000-360

%PassiveMonitor.Payload.Message=User Account Locked Out:

Target Account Name: john

Target Account ID: domain/john

Caller Machine Name:

Caller User Name: DC01$

Caller Domain: domain

Caller Logon ID: (0x0,0x3E7)

%PassiveMonitor.Payload.LogicalSource=192.168.1.1

%PassiveMonitor.Payload.PhysicalSource= 192.16.1.1

%PassiveMonitor.Payload.EventType=Windows Event Log

Post #49741

curtishinson

Posted 6/12/2009 12:16:20 PM

Junior Member

Group: Forum Members
Last Login: 8/12/2009 3:48:02 PM
Posts: 18, Visits: 64

I'm doing this simply by having a Passive Monitor for all Windows Event Log traffic on the server, with a regex that filters for the Account Lockout event. It would be quite trivial to modify the regex to only match on certain users. I have the monitor action email out to my Helpdesk, so our techs automatically get a ticket whenever somebody gets locked out.

Post #53966

« Prev Topic | Next Topic »

Reading This Topic

Active Users: 0 (0 guests, 0 members, 0 anonymous members)

No members currently viewing this topic.

Forum Moderators: Dave, Mark Singh, kevin r gillis, Jason Benton, Christian Lawson, Brandon Felger, Tripp Allen, Will Sansbury, Jason Williams, Hush, FTPplanet.com, Hugh Garber, WUP-PM, mmulryan@ipswitch.com, mswimm

Permissions

All times are GMT -5:00, Time now is 6:34am