|
View previous topic :: View next topic |
Author |
Message |
Davelum
Joined: 13 Feb 2003 Posts: 11 Location: Oregon, USA
|
Posted: Wed Apr 09, 2003 8:04 am Post subject: |
|
|
I have an Event Log test looking for the following properties:
"BAD" event can be from : Any computer
Event type : Any
Event ID : 539
Description contains : All strings from list "Logon Failure" and "locked out".
The notification settings include sending the following variables : %datetime%
%testname%, %NTEventID%, %NTEventSource%, %NTEventUser% and %reply%.
I will get some notices that do not have "Logon failure" and "locked out" in the reply - it just has "reply: 0ms".
Also when this happens the status of this test shows "Unknown" even though I have "treat Unknown status as Bad" selected.
I am using HM version 3.69 on a Win2KSP3 machine. |
|
Back to top |
|
|
KS-Soft
Joined: 03 Apr 2002 Posts: 12806 Location: USA
|
Posted: Wed Apr 09, 2003 12:17 pm Post subject: |
|
|
>I will get some notices that do not have "Logon failure" and "locked out" in the reply - it just has "reply: 0ms".
%Reply% macro variable represents value of the "Reply" field. If you want to see event description, use %NTEventText% macro instead.
Of course you can use "Show event description in Reply field" option (located on Miscellaneous page in the Options dialog), and probably you are using this option. But in action profiles better use %NTEventText% macro anyway.
>Also when this happens the status of this test shows "Unknown" even though I have "treat Unknown status as Bad" selected.
This option does not replace "Unknown" status to "Bad".. There is quote from the manual:
---------------------
Treat Unknown status as Bad
With this option enabled, if test results cannot be obtained, actions are triggered by HostMonitor the same way as if the test returned a "Bad" status.
---------------------
So, nothing wrong with this.
But another thing looks strange to me: as I understand sometimes test has "Unknown" status and non-empty Reply field? Its possible only in case HostMonitor successfully opened Event Log but for some reason cannot read record(s).
Do you check local or remote system? If you check remote system, is it located in the same domain? Do you use dial-up connection? Is this happens often? Probably we can create some testing program to see whats happening.
Regards
Alex |
|
Back to top |
|
|
Davelum
Joined: 13 Feb 2003 Posts: 11 Location: Oregon, USA
|
Posted: Wed Apr 09, 2003 12:49 pm Post subject: |
|
|
But another thing looks strange to me: as I understand sometimes test has "Unknown" status and non-empty Reply field?
--Yes the reply field will show a time ("5ms for example).
-- It looks like substituing %NTEventText% for %%Reply% (yes I was using show description in reply) took care of the problem! I'll know for sure tomorrow and will post the result here either way.
Do you check local or remote system? If you check remote system, is it located in the same domain? Do you use dial-up connection?
-- this system is local, same domain, LAN.
Is this happens often?
-- It would happen probably 90% (heck maybe 100%, I didn't look that close) of the time a "proper" account lockout notice would come out.
As always, thanks Alex! |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|