Jump to content
LVasquez

Remote monitor of event logs.

Recommended Posts

We are migrating from Kaseya to CWA. I need help creating a remote monitor to check for logon failures. Currently we have a monitor in Kaseya that will fire an alert if there are >=300 logon failures and hour. Can anyone help create this in CWA?

I've currently created a remote monitor with the following. Would this accomplish what I am looking for? Thanks.

Check Action: System
Server Address: 127.0.0.1
Check Type: Event Check
Event Info: Security!!!4!!!*!!!4625!!!*
Condition: Greater Than/Equal
Interval: 3600
Result: 300

Share this post


Link to post
Share on other sites

Did you ever get this figured out? Disclaimer: No Automate guru here. But I've recently been trying to do some custom monitor of event logs and I think to accomplish what you're looking for you'll need to somehow get it to give you a count of the number of instances of event 4625. I reserve the right to be wrong though and I'll blame it on my ignorance.

Share this post


Link to post
Share on other sites

@Brant @LVasquez

SELECT 	COUNT(*)	AS TestValue,  
        c.name 		AS IDentityField, 
        c.Computerid 	AS ComputerID, 
        acd.NoAlerts, 
        acd.UpTimeStart, 
        acd.UpTimeEnd
FROM computers c 
JOIN eventlogs e
  ON (e.computerid = c.`ComputerID`)
LEFT JOIN AgentComputerData acd 
  ON (c.computerid = acd.computerid)
WHERE e.EventID IN (529,644,681,4625) AND (e.Message LIKE '%Logon Type:2%' OR e.Message LIKE '%Logon Type:7%' OR e.Message LIKE '%Logon Type:10%')
AND TimeGen > (NOW() - INTERVAL 1 HOUR)
GROUP BY c.`ComputerID`
HAVING TestValue > 8

This is a RAWSQL Internal Monitor. I have extensive documentation on how to set them up: https://gavsto.com/rawsql-help-and-tutorial-a-how-to-plus-an-internal-monitor-example-to-detect-hung-servers-and-run-custom-sql-in-labtech/

This focuses on just the logon types people give a shit about, remote, remoteinteractive, unlock and console.

The TestValue on the bottom line indicates the number to trigger it. 8 seems perfect in my testing. I run this hourly.

  • Thanks 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...