Jump to content
LVasquez

Remote monitor of event logs.

Recommended Posts

We are migrating from Kaseya to CWA. I need help creating a remote monitor to check for logon failures. Currently we have a monitor in Kaseya that will fire an alert if there are >=300 logon failures and hour. Can anyone help create this in CWA?

I've currently created a remote monitor with the following. Would this accomplish what I am looking for? Thanks.

Check Action: System
Server Address: 127.0.0.1
Check Type: Event Check
Event Info: Security!!!4!!!*!!!4625!!!*
Condition: Greater Than/Equal
Interval: 3600
Result: 300

Share this post


Link to post
Share on other sites

Did you ever get this figured out? Disclaimer: No Automate guru here. But I've recently been trying to do some custom monitor of event logs and I think to accomplish what you're looking for you'll need to somehow get it to give you a count of the number of instances of event 4625. I reserve the right to be wrong though and I'll blame it on my ignorance.

Share this post


Link to post
Share on other sites

I have not. Nor can I find good documentation on this. I have a ticket open with support.

Share this post


Link to post
Share on other sites

@Brant @LVasquez

SELECT 	COUNT(*)	AS TestValue,  
        c.name 		AS IDentityField, 
        c.Computerid 	AS ComputerID, 
        acd.NoAlerts, 
        acd.UpTimeStart, 
        acd.UpTimeEnd
FROM computers c 
JOIN eventlogs e
  ON (e.computerid = c.`ComputerID`)
LEFT JOIN AgentComputerData acd 
  ON (c.computerid = acd.computerid)
WHERE e.EventID IN (529,644,681,4625) AND (e.Message LIKE '%Logon Type:2%' OR e.Message LIKE '%Logon Type:7%' OR e.Message LIKE '%Logon Type:10%')
AND TimeGen > (NOW() - INTERVAL 1 HOUR)
GROUP BY c.`ComputerID`
HAVING TestValue > 8

This is a RAWSQL Internal Monitor. I have extensive documentation on how to set them up: https://gavsto.com/rawsql-help-and-tutorial-a-how-to-plus-an-internal-monitor-example-to-detect-hung-servers-and-run-custom-sql-in-labtech/

This focuses on just the logon types people give a shit about, remote, remoteinteractive, unlock and console.

The TestValue on the bottom line indicates the number to trigger it. 8 seems perfect in my testing. I run this hourly.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×