cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Lerky001
Engaged Sweeper II
Trying to create a report

For Invalid Login Attempts (Any users)

Could anyone advise a best way to achieve this report
1 ACCEPTED SOLUTION
Nick_VDB
Champion Sweeper III
We have added a report below that can track specific events. We are not sure which event ID is exactly the one you want but we did find that the event 4625 is for an account that fails to log on. Do note that by default only error events are logged in the database. To get other events you have to enable the corresponding options in Configuration\Server Options in the 'Eventlog scanning' section. The event type is most likely 'Failure' as shown on the website. If this is the wrong event ID you can replace it by the correct one. We highlighted where the event ID is added.

Instructions for adding this report to your Lansweeper installation can be found here. If you are interested in building or modifying reports, we do recommend:
  • Reviewing some SQL tutorials, as the Lansweeper report builder is a standard SQL editor. If you know SQL, you know how to build Lansweeper reports as well. This seems like a good tutorial.
  • Making use of our database dictionary, which explains in great detail what each database table and field stores. More information on the dictionary can be found here.

Select Top 1000000 tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Lastseen,
tblNtlog.Eventcode,
tblNtlogSource.Sourcename,
tblNtlogMessage.Message,
tblNtlog.TimeGenerated
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tblNtlog On tblAssets.AssetID = tblNtlog.AssetID
Inner Join tblNtlogMessage On tblNtlogMessage.MessageID = tblNtlog.MessageID
Inner Join tblNtlogSource On tblNtlogSource.SourcenameID =
tblNtlog.SourcenameID
Where tblNtlog.Eventcode = 4625 And tblAssetCustom.State = 1
Order By tblNtlog.TimeGenerated Desc

View solution in original post

7 REPLIES 7
simon_wilks
Engaged Sweeper
Loving this, Any idea how i just show "Source Network Address: x.x.x.x" in the message column output ?

(thinking i can then add this to firewall...)
Lerky001
Engaged Sweeper II
Thank you for all your help :-
As it is going to be a number of machines can I put more than one

Where tblNtlog.Eventcode = 4625 And tblAssetCustom.State = 1
Order By tblNtlog.TimeGenerated Desc

Can I add more than one field e.g

Where tblNtlog.Eventcode = 4625 And tblAssetCustom.State = 1
Where tblNtlog.Eventcode = 4688 And tblAssetCustom.State = 1
Where tblNtlog.Eventcode = 4611 And tblAssetCustom.State = 1
Order By tblNtlog.TimeGenerated Desc

Many thanks
Lerky
sullivane
Champion Sweeper III
Lerky, this WOULD be in Lansweeper, it would be a custom report as Nick suggested. Use the link I provided to find the event ID that logs attempts and fails and plug it into his report
Lerky001
Engaged Sweeper II
Thank you very much for your help
Nick_VDB
Champion Sweeper III
We have added a report below that can track specific events. We are not sure which event ID is exactly the one you want but we did find that the event 4625 is for an account that fails to log on. Do note that by default only error events are logged in the database. To get other events you have to enable the corresponding options in Configuration\Server Options in the 'Eventlog scanning' section. The event type is most likely 'Failure' as shown on the website. If this is the wrong event ID you can replace it by the correct one. We highlighted where the event ID is added.

Instructions for adding this report to your Lansweeper installation can be found here. If you are interested in building or modifying reports, we do recommend:
  • Reviewing some SQL tutorials, as the Lansweeper report builder is a standard SQL editor. If you know SQL, you know how to build Lansweeper reports as well. This seems like a good tutorial.
  • Making use of our database dictionary, which explains in great detail what each database table and field stores. More information on the dictionary can be found here.

Select Top 1000000 tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Lastseen,
tblNtlog.Eventcode,
tblNtlogSource.Sourcename,
tblNtlogMessage.Message,
tblNtlog.TimeGenerated
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tblNtlog On tblAssets.AssetID = tblNtlog.AssetID
Inner Join tblNtlogMessage On tblNtlogMessage.MessageID = tblNtlog.MessageID
Inner Join tblNtlogSource On tblNtlogSource.SourcenameID =
tblNtlog.SourcenameID
Where tblNtlog.Eventcode = 4625 And tblAssetCustom.State = 1
Order By tblNtlog.TimeGenerated Desc
Lerky001
Engaged Sweeper II
I really need this to be in LanSweeper rather than that solution if possible as this is to go alot of machines etc..
sullivane
Champion Sweeper III
I would think you would have to do the report based on the event viewer entry.

This might help find the right event to look for: https://www.groovypost.com/howto/check-windows-logon-events-windows-8/