Hello.
I am trying to include in the EC domain account lockouts in 2.3.0p29-cre.
The event console is working and things appear to be setup correctly for Event 4740 however, when I trigger an account lockout, it isn’t shown in the EC. I believe the event isn’t forwarded to the event console because in the log the keywords are “Audit Success” not “Audit failure”. It seems that only the “Audit Failures” appear in the EC. How can I include this one particular Audit Success?
The problem is, that most events inside the security log is only informational severity. Do you have configured to sent all security events to CMK?
How can I verify that I’m sending all security events to CMK? I’m new to CheckMK.
OK, I figured it out. In check_mk.user.yml I added:
logwatch:
enabled: yes
# sendall: no # this is MANDATORY, yes is useful only for debugging
# vista_api: no # this is RECOMMENDED
# skip_duplicated: no # if yes the same messages will be replaced with text [the above messages repeated <n> times]
# max_size: 500000 # default value
# max_line_length: -1 # -1 to ignore, or any positive, max length of the line
# max_entries: -1 # -1 to ignore, or any positive, max count of lines to receive
# timeout: -1 # -1 to ignore, or any positive, in seconds
# entries in the windows eventlog
logfile:
# - 'EventLogName': <crit|warn|all|off> + [context|nocontext]
# - 'Application': crit context # example
# - 'System': warn nocontext # another example
# - 'YourOwn': all nocontext # yet another example
# - '*': warn nocontext # This is default params for not missing entries
- 'Security': all
Then I was able to filter out what I didn’t want and I now I see the lockout in the EC
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.