Absent Member.. Gino Castoldi_2 Absent Member..
Absent Member..
82 views

NT System Event Log question.

Jump to solution
Hi,

Mgmt Server: ITO 5.39

We are running the Citrix Metaframe templates to monitor
NT System event logfiles.

We are monitoring for Login failures on each machine.
It works fine. However we now need to define it so it only alarms when only certain user accounts have login failures
(Administrator, and other privleged accounts only).
They don't want to see when
a non-priv user account has a login failure.

(System Event ID: 529)

Can this be done?

10 points to any answer.
Thank you Gino.
0 Likes
1 Solution

Accepted Solutions
Highlighted
Alan Deger Absent Member.
Absent Member.

Re: NT System Event Log question.

Jump to solution
I think it's possible but it would be a project. My best guess would be something like:

Catch the account that's failing the login in an ITO variable. Feed this as a positional parameter to an automatic action (which would have to be something powerful like Perl which I know a snidge about). Using something like Perl (running on a Win32 machine) query whether the account is in a list of groups that have admin privileges (this might take some maintenance of at least a lookup or ini file). I know that this can be done with the "GroupIsMember" function of the Win32::NetAdmin module but you could probably also do it with ADSI calls. Finally, send an opcmsg that is set up for notification if the account is a member of any of the admin groups.

Hope this helps,
ard
5 Replies
Highlighted
Alan Deger Absent Member.
Absent Member.

Re: NT System Event Log question.

Jump to solution
I think it's possible but it would be a project. My best guess would be something like:

Catch the account that's failing the login in an ITO variable. Feed this as a positional parameter to an automatic action (which would have to be something powerful like Perl which I know a snidge about). Using something like Perl (running on a Win32 machine) query whether the account is in a list of groups that have admin privileges (this might take some maintenance of at least a lookup or ini file). I know that this can be done with the "GroupIsMember" function of the Win32::NetAdmin module but you could probably also do it with ADSI calls. Finally, send an opcmsg that is set up for notification if the account is a member of any of the admin groups.

Hope this helps,
ard
Absent Member.. Gino Castoldi_2 Absent Member..
Absent Member..

Re: NT System Event Log question.

Jump to solution
Hi Alan,

Thank you for the reply.

We do know what privileged
user accounts we need to
look for (2 exactly), the other user accounts login failures would be suppressed.

How would we catch the two user accounts that have login failures?

10 points to any answer.
Thank you Gino.
0 Likes
Pioro Luc Absent Member.
Absent Member.

Re: NT System Event Log question.

Jump to solution
Hello,

Perhaps I am wrong but I think it is very easy to implement.

- The login message is intercepted by a condition from a template

- In the "pattern matching" area of the condition, you can do something like :

Imagine the login name is captured by

<*><*.login>><*>

and let's say that you want message for user1 and user2.

Then, you can try

<*><[user1|user2].login>

You can get more informations about sub-patterns in ITO/VPO/OVO Concept guide


Luc.
Jesse Gardner Absent Member.
Absent Member.

Re: NT System Event Log question.

Jump to solution
The problem is that the user name is not stored anywhere in the event log message. (I'm monitoring the same things).

Gino, I don't have a solution for you. It's a tough request that will probably have a complex solution.

Jesse
0 Likes
Drew Dimmick Absent Member.
Absent Member.

Re: NT System Event Log question.

Jump to solution
Gino,

Absolutely this can be done.

The username is in the event, it's tricky to get it because of newlines & vertical tabs in the event text.

Heres the pattern match for the event, which takes the username and assigns it to a variable.

"User Name:\t<*.user><3*.junk>\t"


You can easily change this to simply match the username in two conditions. Others will be suppressed.

Drew

I do "Windows"
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.