Hello,
we use the following check to monitor the failed logon attemps on our windows servers:
check_nt COUNTER -l "\\330\\348","Logon Errors since last reboot is %.f" -w 10000 -c 50000
Due to the poor documentation from microsoft about the performance monitor and the lack of
documention on our side we don't really know how these values "are generated" and how to interpret them.
It also would be nice to know if there are any alternatives to this check (for example PowerShell-Scripts?) or how to act correctly on
high amounts of failed logon attempts.
Any information are much appreciated!
Correct use of "check_nt - failed logon attemps"
Re: Correct use of "check_nt - failed logon attemps"
I see this is your first post and I'd to thank you for choosing Nagios! We're happy have you in the community. Besides the support forum, please check out our knowledgebase for useful tech tips and HowTos. And to extend product functionality, you'll find thousands of plugins and addons on the Nagios Exchange. Welcome aboard!
You can glean a little more information from the "failed login attempt" messages if you enable Advanced Security Audit Policy. This will at least give you the name (sometimes IP) of the machine that failed to login.
As far as alternative plugins, I'm sure they're out there, but is there a need to change up what you're using? Is this check not working for you?
As far as acting correctly on a high number of failed login attempts, that's mainly up to you. No one knows your environment like you do. It could be someone typing their password incorrectly a number of times. Or maybe you have a computer listening for RDP sessions directly on the internet. If you get the machine name or IP from the failed login attempt logs, you will at least be able to start narrowing down where the failed logins are coming from.
You can glean a little more information from the "failed login attempt" messages if you enable Advanced Security Audit Policy. This will at least give you the name (sometimes IP) of the machine that failed to login.
As far as alternative plugins, I'm sure they're out there, but is there a need to change up what you're using? Is this check not working for you?
As far as acting correctly on a high number of failed login attempts, that's mainly up to you. No one knows your environment like you do. It could be someone typing their password incorrectly a number of times. Or maybe you have a computer listening for RDP sessions directly on the internet. If you get the machine name or IP from the failed login attempt logs, you will at least be able to start narrowing down where the failed logins are coming from.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Be sure to check out our Knowledgebase for helpful articles and solutions!
Be sure to check out our Knowledgebase for helpful articles and solutions!
Re: Correct use of "check_nt - failed logon attemps"
Thank you for the fast reply.
To be a bit more precise we use this check on our domaincontroller. I guess this check is intended to be used on specific/single servers and not for the whole domain?
To be a bit more precise we use this check on our domaincontroller. I guess this check is intended to be used on specific/single servers and not for the whole domain?
Re: Correct use of "check_nt - failed logon attemps"
The domain controller is the perfect place to run this check, as all authentication is run through the domain controller.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Be sure to check out our Knowledgebase for helpful articles and solutions!
Be sure to check out our Knowledgebase for helpful articles and solutions!