We have 100 windows server and i have a common windows User ID where i can login all the 100 servers ,is there anyway can i get a alert whenever a logon fails with any server. Any suggestion whether it can be done?
the ntevl probe monitors the Windows event logs. The login failure will be recorded there. You just need a profile to pick it up.
I believe this is done to the security event log and so ntevl can be used as Garin has mentioned.
I do know there was a reported issue with monitoring security logs on very busy domain controllers so this should be tested for possible impact to performance.
I thought of doing with windows events logs only ,but it may cause performance issue .Any suggestions apart from this
I do not know of any other location windows records this information.
Might check with MS if this can be logged to an external file
or centralized in some way for easier monitoring.
The recent versions of the ntevl probe have both a polling and an event driven access to the logs. I don't know how long ago the complaint was made about performance but for large Windows event logs, there is a night and day difference in performance between the polling and event access methods.
I'd suggest trying the event configuration to see. I have systems with very large volumes of event logs occurring and had problems with the polling configuration. Changing to event eliminated those performance issues.
Thanks Grain and Gene !! I will try