Attached the snapshot FYI
Microsoft-Windows-Security-Auditing (4625 - Account Lockout): An account failed to log on.Subject:Security ID:S-1-5-18Account Name:UAT1Test$Account Domain:DomainLogon ID:0x3E7Logon Type:3Account For Which Logon Failed:Security ID:S-1-0-0Account Name:Account Domain:Development:Failure Reason:Account locked out.Status:0xC0000234Sub Status:0x0Process Information:Caller Process ID:0x1814Caller Process Name:\Device\HarddiskVolume6\SSH Tectia\SSH Tectia AUX\Support binaries\ssh-servant-g3.exeNetwork Information:Workstation Name:UAT1Test
I want to split the message above and set the
EventID 4625 = Var1; Account Name: UAT1Test = Var2; Account Domain:Development = Var3 and Workstation Name:UAT1Test = Var4
If the alarm message meet the require "Var1&Var2&Var3&Var4" , just send the email once. If the alarm still exists after 5mins and send the email again.
Any idea? Thanks for your help!
It looks like this alarm is coming from the ntevl probe. If that is the case then the EventID is found in the already defined $event_id variable. To get the individual fields out of the $message, the best thing to do is the following:
1. On the Properties sub-tab of the Setup tab in the probe's Configure GUI, set the Description Delimiter to a unique character like the hash tag ( # ), then check the option "Remove Recurring Delimiter". This separates each part of this event's alarm message into separate "columns" each separated with the defined delimiter character. Using the example you posted in the problem description, the new $message would contain the following:
An account failed to log on.#Subject:#Security ID:S-1-5-18#Account Name:UAT1Test$#Account Domain:Domain#Logon ID:0x3E7#Logon Type:3#Account For Which Logon Failed:#Security ID:S-1-0-0#Account Name:Account# Domain:Development#Failure Reason:Account locked out.#Status:0xC0000234#Sub Status:0x0Process# Information:#Caller Process ID:0x1814#Caller Process Name:\Device\HarddiskVolume6\SSH Tectia\SSH Tectia AUX\Support binaries\ssh-servant-g3.exeN#etwork Information:#Workstation Name:UAT1Test#
2. From the Variables sub-tab for the profile on the Profiles tab, set the Field Separator to hash tag ( # ), 3. Then create new variables - one for each of the columns you want to include in the custom alarm from the Variables sub-tab for the profile. To pull the account name, account domain, and workstation name from the message, create 3 variables. For example, for the Account Name variable in the Subject section, created new variable called var1 amd specified the following for this variable in the Variable settings dialogue: Select "Source Line" option and set the value to 1 Select "Column" option in the "Source FROM position" section and set this value to 4 Select "Ignore 'To'" option in the "Source TO Postiion" section Select OK to save the variable. Repeat this for the Domain and Workstation name columns. 4. After defining the variables, change the Alarm Message field on the Alarm/Post sub-tab for the profile to: $source ($event_id - Account lockout): $var1 $var2 $var3 where $var1, $var2, and $var3 are the names of the 3 variables that you created. They should show up in a drop down list if you enter just a $ in the field.
5. Save the changes and restart the probe. Now when the event is captured by the probe the new alarm messages is as follows: Microsoft-Windows-Security-Auditing (4625 - Account lockout): Account Name:UAT1Test$ Domain:Development Workstation Name:UAT1Test
The disadvantage to this solution is that it will change the $message for all profiles and insert the hash tag in the $message variable. If you do not want to see the # character in your alarms for your other profiles, you will have to define variables for each profile and create a custom alarm using these variables for your other profiles. or come up with regex expressions to match the fields you want to extract from the message instead of using a unique delimiter character in the message.
With the ntevl probe, the alarm is never automatically cleared and will only "repeat" if the same event reoccurs in the monitored event log. The only way I can think of to check to see if the alarm is still active after 5 minutes is to define on on-interval Auto-Operator profile, but the disadvantage with that is that it will be applied to all active alarms every 5 minutes which will add overhead to the nas if you have a large number of activate alarms.
Hope this helps.