Jump to content

OmahaMCSE

Members
  • Content Count

    21
  • Joined

  • Last visited

Community Reputation

1 Neutral

My Information

  • Agent Count
    1000 - 1500 Agents

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Thanks Joe, that's what I needed.
  2. The idea is to get a ticket when someone is added to an administrators group so we can figure out if it's good/bad/infection etc... Right now I just have an event log monitor that right now just looks for security event 4728 or 4732, User added to a global/local group and that works fine, I'm just trying to narrow it down a little to administrators/domain admins groups. Any thoughts on how to extract that info from the message so it only shows the administrators group? That info is in there. I tried adding additional conditions like "and eventlogs.message like ' Name:AdministratorsGroup'" but that wasn't it. So, this monitor: Gets this result: And in the message comes back with all the data from the event entry: A member was added to a security-enabled local group.Subject:Security ID:S-1-5-21-1111111-1111111-1111111-500Account Name:AdministratorAccount Domain:XXXXXXXXXLogon ID:0x3335FMember:Security ID:S-1-5-21-111111111-111111111-1111111111-1007Account Name:-Group:Security ID:S-1-5-32-544Group Name:AdministratorsGroup Domain:BuiltinAdditional Information:Privileges:- I just don't know enough SQL to ask it "after you narrow it down to these event IDs look to see if it also contains "Group Name:AdministratorsGroup" then continue on to fire the alert template. It's not the end of the world if it can't be narrowed down further, there isn't that many group changes once users are added, I was just trying to just get the important groups. Thanks -Joel
  3. I've attached a PDF I created for my guys when they would say there was a "false positive" for a server offline. I always hated that phrase, O.K., the server is running, but obviously there is some sort of issue that they need to look into, so there's nothing false about it. FalsePositives.pdf
  4. OmahaMCSE

    Clone Syslog and SNMP Trap Filters from another Probe

    Darren, Thanks, I finally got around to trying this out and so far it looks like it's working. Better than my option of exporting the snmptraps table, changing the probe ID and adding back in. If anyone runs across this post looking for the same thing, I opened a feature request at https://product.connectwise.com/communities/5/topics/11400-add-exportimport-for-snmp-trap-receivers -Joel
  5. OmahaMCSE

    EV - Failed Logins* - making it usable?

    Any tips on the syntax of GROUP BY or COUNT() in the additional conditions box is appreciated. I was hoping the "EV-recurring critical >75 occurrences" would help but it's set up completely different.
  6. It seems like every month after approving patches (we approve them for our selves first for a week and then clients) we have a few machines that hang during the shutdown process. Sometimes the servers are up far enough still that the LT service is still up and checking in (these suck the most because we don't know about them) and sometimes we get server down alerts. It happens to both VMs and physical servers but the majority of our clients run VMs. It's hard to troubleshoot 1) because we need to get the servers up and 2) they're usually not in a position where you can log in and troubleshoot like "please wait, shutting down" Uptime is generally a month, since the last updates. I've thought about issuing restart commands either the day before patches, but it's not very consistent with who hangs or who doesn't. Does anyone else have these issues? Thanks, -Joel
  7. OmahaMCSE

    Servers going unresponsive

    We are seeing the same thing and haven't been able to track down. It seems like if it's a physical server sometimes you can log on directly at the console. I'm also interested in what Joe.McCall uses for backups, we use Datto
  8. OmahaMCSE

    HIPPA & PCI auditing

    Yes, please re-share the script again please. Thanks!
  9. I used the "Maintenance Mode Start" script function. What is the directly inserting method, a SQL execute command?
  10. Perfect. Thanks guys. I didn't even think about my onsite techs using it. They'd probably be worse about it than the one admin I want to have use it. :-) -Joel
  11. OmahaMCSE

    Agent going offline/online

    What firewall is at the client's location? Could it be throwing your server's IP into a block list for 5 minutes because it thinks it's unusual traffic? Try adding an exception for your LT server.
  12. Does anyone know of a way I can allow a client to put their own server in maintenance mode? They send out email blasts several times a week and usually send in the ticket to "not reboot or do anything to our server tonight" at about 5:15 when the office is clearing out. Is there a way to allow them to put their own server in maintenance mode? I'm thinking an entry on the system tray icon or batch file/script and not providing them with a login to the control center. There used to be a way to disable some functions by adding a blank file to the LTSVC folder (ie:NOPERF), and there's a KB article about how that's now done with templates and files, but I don't see something to emulate maintenance mode. https://docs.labtechsoftware.com/LabTech2013/Default.htm#UsingLabTech/AgentFeatures/ChangingAgentDefaultBehavior.htm TIA, -Joel
  13. OmahaMCSE

    Where is %computerpassword% set?

    Hmm, I see what you mean. The "as admin" must just mean use the %computerusername% setting which is the admin account set on the location. Interesting. Thanks.
  14. OmahaMCSE

    Where is %computerpassword% set?

    I don't mean to argue, since I had to ask the question in the first place, but that is the account used when a script step is "shell a admin". I have that set but if a user is not logged in the script checks if %globalpassword% is set. I'm thinking it is looing for a global variable from the script, but who has the same user account and password across all clients? We have a recovery admin user but it's typically different passwords for each client.
  15. I'm looking over a script that checks to see if a user is logged in, if so jump, if not check if variable %ComputerPassword% is set. If not, exit, if it is then jump again to a line that runs "shell as %ComputerUserName%", and I don't know where that's set either. The script I'm looking at is the Crypto Locker Prevention Test. It looks like if a user is not logged in it will use a computer account but without knowing, I can't set it. Thanks. -Joel
×