Submit a ticketCall us

AnnouncementsSystem Monitoring for Dummies

Tired of monitoring failures disrupting the system, application, and service? Learn the key monitoring concepts needed to help you create sophisticated monitoring and alerting strategies that can help you save time and money. Read the eBook.

Get your free eBook.

Home > Success Center > Log & Event Manager (LEM) > Log & Event Manager (LEM) Documentation > LEM Administrator Guide > Configure LEM to monitor Windows domain controllers for brute force hacking attempts

Configure LEM to monitor Windows domain controllers for brute force hacking attempts

Updated: September 15, 2017

Monitor your Windows domain controllers using the SolarWinds LEM Agent. After you install and configure the Agent, the software tracks "brute force" and other types of hacking attempts to your domain controllers and reports all events to the LEM Manager.

These events include:

  • Unauthorized access to your administrative accounts
  • Failed logon attempts
  • Account lockouts
  • User and group modification
  • Change management events

Install the SolarWinds LEM Agent on all domain controllers to ensure the LEM Manager captures all of your domain events (even if they are not replicated across all domain controllers).

You can view the events in the LEM console using the change management filter and create custom filters to report all activity on your domain controllers.

Install and configure the LEM Agent

When you install the LEM Agent, you have the option to install USB Defender. This application works together with the LEM Agent to provide real-time notification when a USB drive is installed in your domain controller server. By default, USB Defender generates events related to USB mass storage devices attached to your LEM Agents.

For additional security, Microsoft implemented a method in their operating system to log security events. As a result, SolarWinds LEM Agents on systems running Windows Server 2008, Windows Vista, or Windows 7 require different connectors than the Agents running on systems with the legacy Windows operating systems.

If you are running both old and legacy Windows operating systems in your environment, create a connector profile for each operating system.

For LEM Agent software and hardware requirements, see the "LEM system requirements" in theLEM Installation Guide.

Install a LEM Agent on a single Windows domain controller

The LEM Agent is installed on your system and begins sending events to your LEM Manager and LEM console.

The LEM Agent continues running on your system until you uninstall the software or manually stop the LEM Agent service.

  1. Download the SolarWinds LEM Agent installer for Windows from the SolarWinds Customer Portal.

  2. Extract the ZIP file contents to a local or network directory.

  3. Run Setup.exe.

  4. Click Next to start the installation wizard.

  5. Accept the End User License Agreement if you agree, and click Next.

  6. Enter the host name of your LEM Manager in the Manager Name field, and click Next.

    Do not change the default port values.

  7. Confirm the Manager Communication settings and click Next.

  8. (Optional) Select the Install USB Defender check box to install USB Defender with the LEM Agent.

  9. Confirm the settings on the pre-Installation summary, and click Install.

  10. When the installation is completed, click Next to start the LEM Agent service.

  11. Inspect the Agent log for any errors, and click Next.

  12. Click Done to exit the installer.

Configure additional connectors on your LEM Agent

Use the Refine Results pane if needed.

  1. Open the LEM console. See Log in to the LEM web console or Log in to the LEM desktop console for steps.

    Log on as an administrator or auditor.
  2. Click Manage, and then click Nodes.

  3. Locate the LEM Agent in the list.

    Use the Refine Results pane, if needed.

  4. Click button-gear(gray)_17x14.png next to the LEM Agent and select connectors.

  5. Locate and select the connector you want to configure.
  6. Click button-gear(gray)_17x14.png next to the connector, and select New.

  7. Modify the connector (if required), and click Save.

  8. Click button-gear(gray)_17x14.png next to the new connector instance (indicated by an icon in the Status column), and select Start.

  9. Click Close to close the Connector Configuration window.

  10. Configure the following connectors that apply to your installation on your Windows domain controllers :
    • Windows Directory Service Log
    • Windows DNS Server Log
    • Windows DHCP Server version

Maintain and monitor multiple domain controller Agents

Connector Profiles help you maintain and monitor multiple domain controllers in your LEM console. You can use these profiles to configure and modify connector settings at the profile level, as well as provide a group you can use to filter incoming event traffic from your LEM Agents to your LEM console.

Create a connector profile based on a single SolarWinds LEM Agent

Follow this procedure to create a connector profile based on a single LEM Agent and a corresponding filter to monitor activity on all systems in the profile.

  1. Install the LEM Agent software on all systems you want to include in your new connector profile.

  2. Configure a single LEM Agent to serve as the template for your connector profile.

  3. In the LEM console, select the Build tab, and click Groups.

  4. Click button-plus(gray)_17x13.png and select Connector Profile.

  5. Enter a profile name and description.

  6. Select the new LEM Agent from the Template list, and click Save.

  7. Locate your new connector profile in the Groups list.

    Use the Refine Results pane if needed.

  8. Click button-gear(gray)_17x14.png next to your connector profile and select Edit.

  9. In the Available Agents pane, locate the SolarWinds LEM Agents you want to add to your connector profile.

  10. Click the arrow next to each LEM Agent you want to add to the Contained Agents pane.

  11. When completed, click Save.

Create a filter for all activity in a Connector Profile

  1. Open the LEM console. See Log in to the LEM web console or Log in to the LEM desktop console for steps.

    Log on as an administrator or auditor.
  2. Click Monitor.

  3. Click button-plus(gray)_17x13.png on the Filters pane and select New Filter.

  4. Enter a Name and Description for the filter.

  5. Click Event Groups in the Filter Creation list.

  6. Click Any Alert.

  7. In the Fields: Any Alert list, click and drag DetectionIP into the Conditions box.

  8. Click Connector Profiles in the Filter Creation list.

  9. Click and drag your connector profile into the Conditions box, replacing the Text Constant field denoted by a pencil icon.

  10. Click Save.

Clone and enable the Critical Logon Failures rule

Clone and enable the Critical Account Logon Failures rule to track failed logon attempts to the default Windows Administrator account. The default action for this rule is to generate a HostIncident event, which you can use in conjunction with the Incidents report to notify auditors you are auditing the critical events on your network.

  1. Open the LEM console. See Log in to the LEM web console or Log in to the LEM desktop console for steps.

    Log on as an administrator or auditor.
  2. Click the Build tab and select Rules.

  3. Enter Critical Account Logon Failures in the Refine Results pane search box.

  4. Click button-gear(gray)_17x14.png next to the rule and select Clone.

  5. Select the folder where you want to save the cloned rule, and click OK.

  6. Select Enable in the Rule Creation window, and click Save.

  7. On the main Rules screen, click Activate Rules.

    The rule is enabled.

Tune Windows Logging for LEM implementation

After you install and configure your LEM Agents, optimize your LEM deployment by tuning your Windows operating system to log the specific events you want to see in your LEM console and store in your LEM database. Set your group and local policies according to your environment requirements. See Configure Windows audit policy for use with LEM for more information.

Last modified