Logon Security Event Monitor Reference Guide

Logon Security Event Monitor

Checks the event log for logon security events.

Overview

This event monitor scans the security event logs on remote machines. It can be configured to alert about failed login attempts. It can also be set to check for specific users and alert if specified users are found or if it finds users that are not in a list that you specify.

Use Cases

  • Getting notified about suspicious login attempts
  • Monitoring login attempts of banned users

Monitoring Options

This event monitor provides the following options:

Alert with [Info/Warning/Error/Critical] if the device cannot be contacted

Use this option to get alerts if FrameFlow could not contact the selected device.

Alert With [Info/Warning/Error/Critical] when one or more failed login attempts are found

Use this option to get alerts when one or more failed login attempts are found.

Ignore events indicating "Additional preauthentication required"

Use this option to exclude events indicating the need for additional preauthentication from the failed login notification option.

Ignore attempts where the account was valid but the password was incorrect

Use this option to exclude login attempts where the username was correct but the password was not.

Alert with [Info/Warning/Error/Critical] if a user other than those listed (permitted) is found to have a session

Use this option to specify users that are permitted to have a session.

Alert with [Info/Warning/Error/Critical] if any of these users (banned) are found to have a session

Use this option to be alerted if a banned user begins a session.

Alert with [Info/Warning/Error/Critical] if one or more locked/unlocked account events are found

This option and its related suboptions let you receive alerts if the event monitor detects one or more locked or unlocked account event since the event monitor last ran.

Only alert about the specified accounts

Here, you can specify a comma-separated list of users to check. All other users will be skipped over during checks.

Ignore locked/unlocked account events for the specified accounts

Here, you can specify a comma-separated list of users to ignore.

Authentication and Security

The account used for monitoring must have admin rights.

Protocols

Data Points

This event monitor does not generate any data points.

Sample Output

Tutorial

To view the tutorial for this event monitor, click here.

Back to Library

Comments

There are no user-contributed comments for this page. Be the first to submit a comment!

Add a comment