Kaseya Community

How to monitor for failed logins

  • Guys, I am stumped on this, hopefully someone has a good idea.   I am trying to create an event set to monitor failed logins (Event ID 4625).   I setup an Event Set, and started getting a bunch of these (BTW, I limited it to 10 times within 30 min).

    The problem is that I am getting 4625's for different Logon Types.   I really want to focus on figuring out if someone is trying to brute force attack a password, so from this list I found:

    1 – Interactive

    Console Logons basically. 

    2– Network

    This logon happens when you’re accessing file shares using SMB for example.

    3– Batch

    This is used for scheduled tasks.

    4– Service

    This is used for services and service accounts that log on to start a service.

    5– Unlock

    This is used whenever a user unlocks their machine.

    6– Network Cleartext

    This is used when logging on over the network - when the password is sent in clear text (should happen to you!)

    7– New Credentials

    This is used when you run an application using the RunAs command.

    8– Remote Interactive

    This is used for the RDP applications like Terminal Services or Remote Assistance.

    9– Cached Interactive

    This is logged when users log on using cached credentials.

    So given this, for starters I want to ignore Type 3 and Type 4...    Here is the rub...  When you look at the event inside Kaseya,  it looks pretty normal:

    But when you look at it in an email, it looks like there is a hidden tab in there:

    So how in the world do I create an ignore event?    I tried playing with different options inside of the Alarm Summary filter using the *Logon Type:*4* as the filter, but didn't bring me back the results I was looking for.. My guess is *4* is too generic.

    How do you guys do this?

    Thanks in advance!

    fixed spacing
    [edited by: Chris Amori at 7:40 PM (GMT -7) on Oct 2, 2018]
  • We have accounts set to lock (require admin to unlock) if there are excessive logon attempts.  Kaseya then monitors for the lock (and unlock) event in the log to send an emergency alert to us.  That way, if there is a brute force attack, the client is protected by the lock and we are alerted to see if it is a user issue or an attack.

  • We would use our ticket processing engine to read this at the alert level, but what you're doing is at the Windows Event level. Find the event and copy/paste the text from there. You can't filter event log events using Kaseya alarm or email content!