Basic query for a newb

JohnFLi · Post by **JohnFLi** » Wed Jul 13, 2016 12:24 pm

I am trying Log Server for the first time.
I have it looking at the Domain Controller logs

How can I find out failed login attempts on a specic machine? I know the machine name, I'm just trying to verify that somebody did attempt to log on to it.

rkennedy · Post by **rkennedy** » Wed Jul 13, 2016 12:53 pm

I don't have access to a DC's logs, so going to take a guess here with the EventID. Usually, this is the EventID that corresponds if a Windows machine was sending it's own logs in. Not exactly sure if it's the same for the DC.

Does the log still contain the EventID 4625? If so, from the Dashboards page, you should be able to click 'Load Query', and then select the 'Windows Failed Logins' one. Then, query for a string that would contain that host (ip of it, or perhaps hostname).

If it doesn't have the EventID 4625, we may need to create a few filters to apply. Can you show us an example of the log that would contain an invalid login? It doesn't have to be for the host in specific we're looking for.

JohnFLi · Post by **JohnFLi** » Wed Jul 13, 2016 1:34 pm

I tried the built in 'failed windows logons' which works sorta ok..... but how do I narrow that down to a certain machine name or date?

rkennedy · Post by **rkennedy** » Wed Jul 13, 2016 1:42 pm

You should be able to type the hostname / IP in the query box, or filter based on specific fields in NLS. Can you show post a screenshot of the full log you're seeing so that we can determine which field would be best to filter on?

JohnFLi · Post by **JohnFLi** » Wed Jul 13, 2016 3:31 pm

Log.jpg

I was able to get the name of the system somehwat filtered.... but I even purposly did a failed login attempt and it doesn't show.

rkennedy · Post by **rkennedy** » Wed Jul 13, 2016 3:35 pm

Can you also show us the filters you currently have applied?

When you send over the screenshot, click inside one of those 'logs' first, and expand it. After that, it'll show us how all of the fields line up. Send a screenshot of this as well. We need to find a 'field' that we can use to filter by.

JohnFLi · Post by **JohnFLi** » Wed Jul 13, 2016 4:02 pm

Log.jpg

Hope this covers the info you asked for.

rkennedy · Post by **rkennedy** » Wed Jul 13, 2016 4:19 pm

Which filters are you using? (you'll want to click them to expand)

Judging by the data you sent over, you'll want to use at least two. You'll want to match the Category to must be 'Credential Validation', and the Status to mustnot be 0x0. You can apply these filters by clicking the magnifying glass next to the field, and then changing them accordingly.

As you're just getting started, if might be easier to do a demonstration and show you a few things about NLS. Have you had a Quickstart yet for NLS? If not, I recommend signing up for one here - https://www.nagios.com/services/quickst ... og-server/

JohnFLi · Post by **JohnFLi** » Fri Jul 15, 2016 10:23 am

yes, I think I should get the quick start training.

Thank you..... feel free to close this item

Nagios Support Forum

Basic query for a newb

Basic query for a newb

Re: Basic query for a newb

Re: Basic query for a newb

Re: Basic query for a newb

Re: Basic query for a newb

Re: Basic query for a newb

Re: Basic query for a newb

Re: Basic query for a newb

Re: Basic query for a newb