Table of Contents
- Getting Started
- Agent-Based Management
- Data Providers
- Directory Services
- Event Log Archiving for JSIG and CMMC Compliance
- Auditing
- Hosts
- Templates
- Template Properties
- Batch Update Templates
- Assign Templates
- Log Management Templates
- SCAP Compliance Monitor
- File and Directory Monitor Templates
- Windows Monitor Templates
- Account Lockout Monitor Template
- Logon Monitor Template
- CPU Monitor Template
- Memory Monitor Template
- Disk Space Monitor Template
- SMART Monitor Template
- Process Monitor Template
- Service Monitor Template
- Performance Counter Monitor Template
- PowerShell Template
- Registry Value Monitor Template
- System Security Monitor Template
- Active Directory User Monitor Template
- Active Directory User Integrity Monitor Template
- Task Scheduler Template
- Clock Synchronization Template
- Defragment NTFS Disks Template
- Windows Audit Policy Monitor Template
- Windows Logon As Monitor Template
- Windows Update Template
- Windows Management Instrumentation (WMI) Templates
- Database Monitor Template
- Directory Service Monitor Template
- DNS Blacklist Monitor Template
- DNS Monitor Template
- Domain Expiration Monitor Template
- Network Speed Monitor Template
- Ping Monitor Template
- Database Table Reseed
- SQL Server Shrink and Backup Template
- SSH Shell
- TCP Port Scan Monitor Template
- Website Monitor Template
- Wake On LAN Template
- SSL Certificate Monitor Templates
- Email Monitor Templates
- SNMP Monitor Templates
- Windows Accounts Templates
- Monitors
- Reports
- File and Permission Reports
- Summary Reports
- Auto-Configurators
- Filters
- Actions
- Database Actions
- Desktop Actions
- Email Actions
- Event Log Actions
- Executable Actions
- File Actions
- IIS IP Address Restriction Actions
- Microsoft Teams Actions
- PowerShell Actions
- Report Actions
- Service Actions
- SMS Actions
- SNMP Trap Actions
- Syslog Actions
- Template Actions
- IIS IP Address Restriction Actions
- Action Variables
- Schedules
- Environment Variables
- Options
- Account Lockout Monitoring and Reporting
- Merging Logs
- SNMP
- SSH Shell
- Syslog
- Exporting and Importing Configuration Objects
- Shared Views
- Active Directory User and Group Filters
- Assign Actions
- Assign Azure Audit Logs
- Assign Consolidated Logs
- Assign Directories
- Assign Disks
- Assign Event Logs
- Assign Files
- Assign Services
- Assign Shares
- Auto-Config Host Assignment Properties
- Define CSV and W3C Log Entry Columns
- Define Log Entry Columns
- Define Log Entry Columns with Regular Expressions
- Executable Status
- Executable Timeline
- Explicitly Assigned Logs
- File Explorer
- General Executable Properties
- Report Columns
- Report Date/Time Ranges
- Report Security Event Log Filters
- Select Folder or File
- Target Files and Sub-Directories
- Command Line Interface
- Server Configuration
- Agent Configuration
- Troubleshooting
- Terminology
Corner Bowl Server Manager
SIEM, IPS, Server Monitoring, Uptime Monitoring and Compliance Software
Account Lockout Monitoring and Reporting
Sever Manager includes several different methods to get notified when an account is locked out.
| Type | Description |
|---|---|
| Real-Time Security Event Log Monitor | Subscribes, or optionally scans on a scheduled interval, Security Event Logs for locked out accounts. Monitors Domain Controller Security Event logs for locked out domain accounts and/or monitors stand-alone server Security Event logs for local, non-domain, locked out accounts. |
| Active Directory Monitor | Scan Active Directory on a scheduled interval (e.g. Every 15 Minutes) for locked out domain accounts. |
| WMI Monitor | Scan stand-alone servers on a scheduled interval (e.g. Every 15 Minutes) for local, non-domain, locked out accounts. |
| Security Event Log Report | Scan multiple Domain Controller Security Event logs for domain account lockout history and/or scan multiple stand-alone server Security Event logs for non-domain local account lockout history. |
| Active Directory/WMI Report | Scan multiple domains on a scheduled interval (e.g. Every 15 Minutes) for currently locked out domain accounts and optionally scan multiple stand-alone servers on a scheduled interval (e.g. Every 15 Minutes) for currenlty locked out non-domain local accounts. |
How to get notified in real-time when an account is locked out:
Server Manager includes a sample template that monitors Security Event Logs in real-time for event ID 4740: A user account was locked out. This event generates every time a user account is locked out.
Important
Domain Controller Replication
Security Event Log entries are replicated accross all domain controllers that have joined the same domain. When monitoring a domain that has multiple replicated domain controllers, assigning the same Security Event Log template to each domain controller results in duplicate triggers, one from each domain controller.
- From the Explorer View, navigate to Templates | Sample Templates | Real-Time Monitors then right click on Real-Time Account Lockout Monitor and select Template Properties. The Event Log Monitor Template Properties view displays.
- The Template Properties view contains 6 tabs.
The Options Tab
- Use the Log drop-down to select the specific log to configure. This template only monitors the Security Event Log.
- Use the Rules controls to assign the filter and actions. Double-click the existing rule. The Log Monitor Rule displays.
- Notice, the Account Locked Out filter, which searches for all 4740 Event IDs, is assigned and the Email - Account Locked Out action, which sends an email along with the account name that was locked out in the subject, is assigned.
Note
To filter out specific accounts, either modify the existing filter or create a new filter then assign your new filter to this template or a copy of this template.
For more information see: Log Monitor.
Host Assignment
- When monitoring domain controllers, assign a single domain controller from each domain in the forest to this template.
- When monitoring stand-alone servers, assign each stand-alone server to this template template.