Link to home
Start Free TrialLog in
Avatar of jjoz
jjozFlag for Australia

asked on

How do you implement critical Event ID monitoring report

Hi Everyone,

How do you monitor these event ID across your domain ?

can anyone give me suggestion or share the Powershell script to email / report this please ?

Thanks.
Application:
1002 Application Hang
1000 Application Error

Hardware Related:
7, 9, 11, 51, 52, 55 Potential HD related issue 
1053 Servers too hot. Sometimes our Air conditioning breaks. 

Security Log:
529 Logon Failure - Unknown user name or bad password
530 Logon Failure - Account logon time restriction violation
531 Logon Failure - Account currently disabled
532 Logon Failure - The specified user account has expired
533 Logon Failure - User not allowed to logon at this computer
534 Logon Failure - The user has not been granted  the requested logon type at this machine
535 Logon Failure - The specified account’s password has expired
539 Logon Failure - Account locked out

On the Domain Controller:
Event 675 on a domain controller indicates a failed initial attempt to logon via Kerberos at a workstation with a domain account usually due to a bad password but the failure code indicates exactly why authentication failed
Event 642 indicates a change to the specified user account such as a reset password or a disabled account being re-enabled. The event’s description specifies the type of change.
Events 632, 636, 660 - All 3 events indicate the specified user was added to the specified group. Group scopes Global, Local and Universal correspond to the 3 event IDs
Event 624 - New user account was created.
Event 644 - Specified user account was locked out after repeated logon failures
Event 517 - The specified user cleared the security log.

Open in new window

SOLUTION
Avatar of KenMcF
KenMcF
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of jjoz
jjoz
Flag of Australia image

ASKER

ahh so at the moment i use splunk and nagios too, if i want to do this on my Windows Server then I must be installing syslog daemon plugin for windows to push the event ID to syslogd server for splunk to search.
Avatar of KenMcF
KenMcF
Flag of United States of America image
it has been awhile since I have used nagios or splunk. But you should be able to setup the nagios agent on the servers and have them send the logs over. Then use splunk to better search for root cause or other events.
Avatar of jjoz
jjoz
Flag of Australia image

ASKER

well yes, i guess you're right
suppose I setup powershell script and then deploy using GPO into computer startup script then it will not run unless the user re-login the PC or the server restarted :-|
ASKER CERTIFIED SOLUTION
Avatar of KenMcF
KenMcF
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of jjoz
jjoz
Flag of Australia image

ASKER

thanks man !