Hi,
I´m trying to do a test that check when a specific user has logged in and if so then set status to "Bad".
My problem is that it´s always "Ok".
I have checked the DCs security log manually and when that uses logs in I get a log correctly with the username somewhere in the description text. I just need the test to detect that correctly.
The settings are as follows:
The test uses Active RMA located on a DC(2012R2).
Log Source:
Compatibility: Vista Mode
Computer \\127.0.0.1 (same as the RMA is located on)
Log/Channel: Security
Event Source: Microsoft-Windows-Security-Auditing
Alert Condition:
Computer: <fqdn of the dc>
Event Type: Info
Event ID: 4642, 4672, 4648
Description "Administrator" this specific account is just for me while I´m testing.
//Andreas..
Problem with "NT Event Log" test
-
KS-Soft Europe
- Posts: 2832
- Joined: Tue May 16, 2006 4:41 am
- Contact:
What other settings have use set for the test?
NT Event log test detects only new events (between two performed tests).
Have you refreshed test after new entry has been added to event log?
Or may be Alert condition is incorrect. Try to make it less strict. E.g. check only event IDs, while other options set to "Any".
NT Event log test detects only new events (between two performed tests).
Have you refreshed test after new entry has been added to event log?
Or may be Alert condition is incorrect. Try to make it less strict. E.g. check only event IDs, while other options set to "Any".
Thanks for your reply!
I changed to this:
Alert Condition:
Computer: Any
Event Type: Any
Event ID: 4642, 4672, 4648
Description Any
And did a few logins and then ran the test. It still say "Ok".
If I´m thinking correctly this test should now trigger "Bad" if anyone has logged in after the last test? The Event IDs show up in the Security log everytime a user logs in so it should work.
But it doesn´t
I changed to this:
Alert Condition:
Computer: Any
Event Type: Any
Event ID: 4642, 4672, 4648
Description Any
And did a few logins and then ran the test. It still say "Ok".
If I´m thinking correctly this test should now trigger "Bad" if anyone has logged in after the last test? The Event IDs show up in the Security log everytime a user logs in so it should work.
But it doesn´t
-
KS-Soft Europe
- Posts: 2832
- Joined: Tue May 16, 2006 4:41 am
- Contact:
I have tried everything I can think of now, but I still don´t get an error when someone logs in.
I have checked and verified so I use the correct RMA. That RMA test lots of other stuff on several servers including itself and they all work.
Event Source is also empty now as you suggested.
The settings now are:
Log Source:
Compatibility: Vista Mode
Computer \\127.0.0.1 (same as the RMA is located on)
Log/Channel: Security
Event Source: <blank>
Alert Condition:
Computer: any
Event Type: any
Event ID: 4642, 4672, 4648
Description any
I assume this should trigger the alarm if any of those EventIDs have appeared in the security log between RMA checks?
Is there any way to check what the RMA actually does and recieves?
Something´s have to be wrong..
I have checked and verified so I use the correct RMA. That RMA test lots of other stuff on several servers including itself and they all work.
Event Source is also empty now as you suggested.
The settings now are:
Log Source:
Compatibility: Vista Mode
Computer \\127.0.0.1 (same as the RMA is located on)
Log/Channel: Security
Event Source: <blank>
Alert Condition:
Computer: any
Event Type: any
Event ID: 4642, 4672, 4648
Description any
I assume this should trigger the alarm if any of those EventIDs have appeared in the security log between RMA checks?
Is there any way to check what the RMA actually does and recieves?
Something´s have to be wrong..
-
KS-Soft Europe
- Posts: 2832
- Joined: Tue May 16, 2006 4:41 am
- Contact:
I assume this should trigger the alarm if any of those EventIDs have appeared in the security log between RMA checks?
Correct.
You may use Shell Script test method, performed by RMA with the following settings:Is there any way to check what the RMA actually does and recieves?
Something´s have to be wrong..
Start CMD: cmd /c %Script% %Params%
Script code:
Code: Select all
@ECHO OFF
for /f "tokens=2 delims=:" %%a in ('systeminfo ^| find "OS Name"') do set OS_Name=%%a
for /f "tokens=2 delims=:" %%a in ('systeminfo ^| find "Host Name"') do set Host_Name=%%a
ECHO ScriptRes:Ok:%Host_Name%%OS_Name%-
KS-Soft Europe
- Posts: 2832
- Joined: Tue May 16, 2006 4:41 am
- Contact:
I tried to do the same test from the same RMA but on a different DC in the same domain. That DC is a SBS2008(OS is 2008).
With the exact same test-settings I get the error: "RMA: 301 - Cannot open event log. Access is denied., Unknown"
When I change the Compatibility mode to: "Windows NT mode" I get the error: "Not enough insertion data for the message (adtschema.dll). Msg template "An account was successfully logged on." This message seems to come when a valid log entry on that server as been created, which would mean that login works.
The account the RMA uses is member of Domain Admins so that shouldn´t be a problem. Or is there some other requirements for the Event log?
The RMA does other tests on that other DC such as SNMP and WMI test and they all work.
With the exact same test-settings I get the error: "RMA: 301 - Cannot open event log. Access is denied., Unknown"
When I change the Compatibility mode to: "Windows NT mode" I get the error: "Not enough insertion data for the message (adtschema.dll). Msg template "An account was successfully logged on." This message seems to come when a valid log entry on that server as been created, which would mean that login works.
The account the RMA uses is member of Domain Admins so that shouldn´t be a problem. Or is there some other requirements for the Event log?
The RMA does other tests on that other DC such as SNMP and WMI test and they all work.
RMA started on DC and checks event log on the same DC?I tried to do the same test from the same RMA but on a different DC in the same domain. That DC is a SBS2008(OS is 2008).
With the exact same test-settings I get the error: "RMA: 301 - Cannot open event log. Access is denied., Unknown"
You are using 127.0.0.1 or localhost as target hostname?
RMA started as service or application?
UAC enabled?
Regards
Alex
For this other test I used the same RMA as my first test.
But it now test the eventlog on another dc in the same domain. So I changed the test-setting "Computer (UNC)" from \\127.0.0.1 to \\<other DC
s ip>
The RMA is a service.
And yes on the new target DC UAC was enabled! I have turned it off but it needs to restart and I can´t do that now. I´ll let you know when I can, and if that helped. I have a feeling it will
Thanks for all your help so far!
//Andreas..
But it now test the eventlog on another dc in the same domain. So I changed the test-setting "Computer (UNC)" from \\127.0.0.1 to \\<other DC
s ip>
The RMA is a service.
And yes on the new target DC UAC was enabled! I have turned it off but it needs to restart and I can´t do that now. I´ll let you know when I can, and if that helped. I have a feeling it will
Thanks for all your help so far!
//Andreas..
When UAC is enabled and HostMonitor (or RMA) running in service mode, you should use BUILT-IN administrator account to run service. Otherwise software does not get admin rights (even if you are using admin account)
Also, when you are checking remote system, you should provide account for network connection using Connection Manager (menu View) or "Connect as" test property
Regards
Alex
Also, when you are checking remote system, you should provide account for network connection using Connection Manager (menu View) or "Connect as" test property
Regards
Alex