support-frontdata

ntevl, AO, Script a little project

Discussion created by support-frontdata on Nov 11, 2010
Latest reply on Nov 17, 2010 by support-frontdata

Hello.

 

I writing here hoping someone may be able to help me with a challaging request from a custumer.

The case is as following.

They want every failed audit in the windows security log to be logged to a file, to see if someone is brute-forcing on their user-accounts.

 

So far I have done this.

NTEVL looking fore the event, Run type set to event, so it runs on every event. I get my  "windows events" in the alarm-list. However if I try to brute force password very quickly, like 5-10 times in a row. NTEVL will only pick up like 30% of em.

 

Question 1: Any way to make sure ntevl will pick up every event, and not miss some of em.

 

Secondly I have set up a Auto Operator profile, that will look for user tag 1 = failure and execute a script, this is done on message arrival.

 

Question 2: If I get multiple alarms from ntevl, will the auto-operator runs every time the event ticks even if I get 5 at almost the same time, and they get stacked up in the alarm list due to Count, if the events origin is the same.

 

Thirdly I have tried making a script called from the AO, but I'm not that much of a coder, so not sure if it is correct.

The idea is to get the alarms with the usertag failure and put em in a text file, or perhaps where the message starts with: Security (529 - Logon/Logoff):

 

Well so far my script is like this. I have not made a count up function on the list as i expect it to run on every alarm.

 

-- create variable abcd to an text file already created

abcd = "c:\Login_error.txt"

-- get alarms where user_tag1 = failure

a = alarm.get ("user_tag1","failure")

-- If a is different from nil / null  then

if a ~=nil then

-- write message to file

file.write (abcd,"".. a.message .." \n")

end

 

Question 3: What may I be missing in my script / AO to make it write the message of the event  to the file on the c-drive?

 

Question 4: Anyone have a better / smarter way to do this?

 

Hoping someone can provide me with some help or feedback.

 

cheers

 

/Mads

Outcomes