I writing here hoping someone may be able to help me with a challaging request from a custumer.
The case is as following.
They want every failed audit in the windows security log to be logged to a file, to see if someone is brute-forcing on their user-accounts.
So far I have done this.
NTEVL looking fore the event, Run type set to event, so it runs on every event. I get my "windows events" in the alarm-list. However if I try to brute force password very quickly, like 5-10 times in a row. NTEVL will only pick up like 30% of em.
Question 1: Any way to make sure ntevl will pick up every event, and not miss some of em.
Secondly I have set up a Auto Operator profile, that will look for user tag 1 = failure and execute a script, this is done on message arrival.
Question 2: If I get multiple alarms from ntevl, will the auto-operator runs every time the event ticks even if I get 5 at almost the same time, and they get stacked up in the alarm list due to Count, if the events origin is the same.
Thirdly I have tried making a script called from the AO, but I'm not that much of a coder, so not sure if it is correct.
The idea is to get the alarms with the usertag failure and put em in a text file, or perhaps where the message starts with: Security (529 - Logon/Logoff):
Well so far my script is like this. I have not made a count up function on the list as i expect it to run on every alarm.
-- create variable abcd to an text file already created
abcd = "c:\Login_error.txt"
-- get alarms where user_tag1 = failure
a = alarm.get ("user_tag1","failure")
-- If a is different from nil / null then
if a ~=nil then
-- write message to file
file.write (abcd,"".. a.message .." \n")
Question 3: What may I be missing in my script / AO to make it write the message of the event to the file on the c-drive?
Question 4: Anyone have a better / smarter way to do this?
Hoping someone can provide me with some help or feedback.