Table of Contents
- System Requirements
- Assign Service Logon As Credentials
- Server Configuration
- Agent-Based Monitoring
- Data Providers
- Directory Services
- Audit Work Items
- Template Properties
- Batch Update Templates
- Log Management Templates
- File and Directory Monitor Templates
- Windows Monitor Templates
- Account Lockout Monitor Template
- Logon Monitor Template
- CPU Monitor Template
- Memory Monitor Template
- Disk Space Monitor Template
- SMART Monitor Template
- Process Monitor Template
- Service Monitor Template
- Performance Counter Monitor Template
- PowerShell Script Template
- Registry Value Monitor Template
- Active Directory User Monitor Template
- Active Directory User Integrity Monitor Template
- Task Scheduler Template
- Clock Synchronization Template
- Defragment NTFS Disks Template
- Network and Application Monitor Templates
- Database Monitor Template
- Directory Service Monitor Template
- DNS Blacklist Monitor Template
- DNS Monitor Template
- Domain Expiration Monitor Template
- Network Speed Monitor Template
- Ping Monitor Template
- SQL Server Shrink and Backup Template
- SSH Shell
- TCP Port Scan Monitor Template
- Website Monitor Template
- SSL Certificate Monitor Templates
- Email Monitor Templates
- SNMP Monitor Templates
- Report Properties
- Security Reports
- Generic Log Reports
- File and Permission Reports
- Summary Reports
- Environment Variables
- Account Lockout Monitoring and Reporting
- SSH Shell
- Exporting and Importing Configuration Objects
- Shared Views
- Auto-Config Host Assignment Properties
- General Executable Properties
- Assign Actions
- Assign Directories
- Assign Disks
- Assign Shares
- Assign Files
- Assign Consolidated Logs
- Assign Event Logs
- Assign Active Directory Audit Logs
- Target Files and Sub-Directories
- Define Log Entry Columns
- Define Log Entry Columns with Regular Expressions
- Define CSV and W3C Log Entry Columns
- Active Directory User and Group Filters
- Explicitly Assigned Logs
- File Explorer
- Report Columns
- Report Date/Time Ranges
- Report Security Event Log Filters
- Select Folder or File
- Command Line Interface
Security Event Log Failed Logons Reports
The Failed Logons Reports enable you to scan the consolidated log database for various failed logon Event IDs. This report is typically used by compliance and audit professionals while auditing domain controllers and stand-alone servers.
Server Manager includes two methods to report failed Windows logins:
|One-Off Failed Logons Report||Parses event IDs: 4625, 4768, 4771 and 4776, filters Logon Types, displays each failed login or the total number of failed login attempts grouped by user and Logon Type, then finally and optionally generates a summary table along with tables for each selected Event ID. This report is supported on all locales.|
|Generic Failed Logons Report||Uses Regular Expressions to parse Security Event Log Entries, extract values, validate subject and target accounts in Active Directory, then finally filter entries using Event Log Filters. This report is only supported on English locales.|
How to configure the One-Off Failed Logons Report
- From the Explorer View, navigate to Reports | Sample Reports | Event Logs | Security Reports | Management, right click on Failed Logons Report then select Properties. The Properties View displays.
- The Properties View contains 7 configuration tabs.
The Options Tab
- Use the Tables check boxes to select the Event IDs to target.
- Use the Logon Types check boxes to select the Logon Types to target.
Use the Summary check box to either display each failed logon entry or display the count of unique failed logons grouped by account name and Logon Type.
Failed Logon Report properties
How to configure the Generic Failed Logons Report
- From the Explorer View, navigate to Reports | Sample Reports | Event Logs | Security Reports | Management, right click on Failed Logon Report (Generic) then select Properties. The Properties View displays.
- The Properties View contains 8 configuration tabs.
The Options Tab
Use the Filters drop-down to select all of the filters you would like to apply to the report.
To target specific columns (e.g. Account For Which Logon Failed), create a Complex Event Log Filter then, create a new Attribute Value Pair Criteria, specify the column's key (e.g. TARGET_ACCOUNT_NAME) then, specify the account name or regular expression to target.Sample regular expression driven new interactive and remote failed logon filter
Once a filter is assigned, use the Include entries that pass drop-down to select the filter method.
The following filter options are available:
Option Description All Include each entry that passes all assigned filters. Any Include each entry that passes any filter. None Include each entry that does not pass any of the filters. Ignore Include all entries.
Use the Apply filter frequency rules to display the Latest or Oldest entry when it occurs more than X times every X periods.
A unique instance of these settings is attached to each assigned filter. Select the Filter to apply each instance's settings.
Use the Duplicates controls to group entries by Source and Event ID then display Latest or Oldest entry along with a count of entries in each group.
Generic Failed Logon Report properties