Jump to content
[[Template core/front/profile/profileHeader is throwing an error. This theme may be out of date. Run the support tool in the AdminCP to restore the default theme.]]

Community Reputation

1 Neutral

My Information

  • Agent Count
    1000 - 1500 Agents

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. The idea is to get a ticket when someone is added to an administrators group so we can figure out if it's good/bad/infection etc... Right now I just have an event log monitor that right now just looks for security event 4728 or 4732, User added to a global/local group and that works fine, I'm just trying to narrow it down a little to administrators/domain admins groups. Any thoughts on how to extract that info from the message so it only shows the administrators group? That info is in there. I tried adding additional conditions like "and eventlogs.message like ' Name:AdministratorsGroup'" but that wasn't it. So, this monitor: Gets this result: And in the message comes back with all the data from the event entry: A member was added to a security-enabled local group.Subject:Security ID:S-1-5-21-1111111-1111111-1111111-500Account Name:AdministratorAccount Domain:XXXXXXXXXLogon ID:0x3335FMember:Security ID:S-1-5-21-111111111-111111111-1111111111-1007Account Name:-Group:Security ID:S-1-5-32-544Group Name:AdministratorsGroup Domain:BuiltinAdditional Information:Privileges:- I just don't know enough SQL to ask it "after you narrow it down to these event IDs look to see if it also contains "Group Name:AdministratorsGroup" then continue on to fire the alert template. It's not the end of the world if it can't be narrowed down further, there isn't that many group changes once users are added, I was just trying to just get the important groups. Thanks -Joel
  2. I've attached a PDF I created for my guys when they would say there was a "false positive" for a server offline. I always hated that phrase, O.K., the server is running, but obviously there is some sort of issue that they need to look into, so there's nothing false about it. FalsePositives.pdf
  3. Darren, Thanks, I finally got around to trying this out and so far it looks like it's working. Better than my option of exporting the snmptraps table, changing the probe ID and adding back in. If anyone runs across this post looking for the same thing, I opened a feature request at https://product.connectwise.com/communities/5/topics/11400-add-exportimport-for-snmp-trap-receivers -Joel
  4. Any tips on the syntax of GROUP BY or COUNT() in the additional conditions box is appreciated. I was hoping the "EV-recurring critical >75 occurrences" would help but it's set up completely different.
  5. It seems like every month after approving patches (we approve them for our selves first for a week and then clients) we have a few machines that hang during the shutdown process. Sometimes the servers are up far enough still that the LT service is still up and checking in (these suck the most because we don't know about them) and sometimes we get server down alerts. It happens to both VMs and physical servers but the majority of our clients run VMs. It's hard to troubleshoot 1) because we need to get the servers up and 2) they're usually not in a position where you can log in and troubleshoot like "please wait, shutting down" Uptime is generally a month, since the last updates. I've thought about issuing restart commands either the day before patches, but it's not very consistent with who hangs or who doesn't. Does anyone else have these issues? Thanks, -Joel
  6. We are seeing the same thing and haven't been able to track down. It seems like if it's a physical server sometimes you can log on directly at the console. I'm also interested in what Joe.McCall uses for backups, we use Datto
  7. Yes, please re-share the script again please. Thanks!
  8. I used the "Maintenance Mode Start" script function. What is the directly inserting method, a SQL execute command?
  9. Perfect. Thanks guys. I didn't even think about my onsite techs using it. They'd probably be worse about it than the one admin I want to have use it. :-) -Joel
  10. What firewall is at the client's location? Could it be throwing your server's IP into a block list for 5 minutes because it thinks it's unusual traffic? Try adding an exception for your LT server.
  11. Does anyone know of a way I can allow a client to put their own server in maintenance mode? They send out email blasts several times a week and usually send in the ticket to "not reboot or do anything to our server tonight" at about 5:15 when the office is clearing out. Is there a way to allow them to put their own server in maintenance mode? I'm thinking an entry on the system tray icon or batch file/script and not providing them with a login to the control center. There used to be a way to disable some functions by adding a blank file to the LTSVC folder (ie:NOPERF), and there's a KB article about how that's now done with templates and files, but I don't see something to emulate maintenance mode. https://docs.labtechsoftware.com/LabTech2013/Default.htm#UsingLabTech/AgentFeatures/ChangingAgentDefaultBehavior.htm TIA, -Joel
  12. Hmm, I see what you mean. The "as admin" must just mean use the %computerusername% setting which is the admin account set on the location. Interesting. Thanks.
  13. I don't mean to argue, since I had to ask the question in the first place, but that is the account used when a script step is "shell a admin". I have that set but if a user is not logged in the script checks if %globalpassword% is set. I'm thinking it is looing for a global variable from the script, but who has the same user account and password across all clients? We have a recovery admin user but it's typically different passwords for each client.
  14. I'm looking over a script that checks to see if a user is logged in, if so jump, if not check if variable %ComputerPassword% is set. If not, exit, if it is then jump again to a line that runs "shell as %ComputerUserName%", and I don't know where that's set either. The script I'm looking at is the Crypto Locker Prevention Test. It looks like if a user is not logged in it will use a computer account but without knowing, I can't set it. Thanks. -Joel
×
×
  • Create New...