This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Community FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Failed login attempts grouped by computer

philb
Engaged Sweeper

‎05-24-2018 10:42 PM

Hey there,

I have found this report for failed login attempts and have it working. But what I would like to do is group it by computer and have a count on how many attempts per machine.
Ultimately what I am trying to do is create an alert when we have so many invalid logon attempts to any particular machine is a certain time frame. That’s why I need the report. I would like it to be Lansweeper based. Thanks for any help you can give. Please ask me questions if this doesn’t make sense. Here is the current report


Select Top 1000000 tblAssetCustom.State As [Active PC's],
tblAssets.AssetName,
tblNtlog.Eventcode,
tblNtlog.TimeGenerated As [When]
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tblNtlog On tblAssets.AssetID = tblNtlog.AssetID
Inner Join tblNtlogMessage On tblNtlogMessage.MessageID = tblNtlog.MessageID
Inner Join tblNtlogSource On tblNtlogSource.SourcenameID =
tblNtlog.SourcenameID
Where tblAssetCustom.State = 1 And tblNtlog.Eventcode = 4625
Order By [When] Desc
Labels:
0 Kudos
2 REPLIES 2
philb
Engaged Sweeper

‎05-29-2018 04:11 PM

Awesome, this is great. Thanks!!

SQL always kicks my butt.
0 Kudos
Esben_D
Lansweeper Employee
Lansweeper Employee

‎05-28-2018 04:39 PM

I would use something like the query below. It shows the amount of events scanned with the specified event ID in the last 7 days.

Select Top 1000000 tblAssets.AssetName,
  Count(tblNtlog.EventlogID) As NumberOfEvents,
  tblNtlog.Eventcode
From tblAssets
  Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
  Inner Join tblNtlog On tblAssets.AssetID = tblNtlog.AssetID
  Inner Join tblNtlogMessage On tblNtlogMessage.MessageID = tblNtlog.MessageID
  Inner Join tblNtlogSource On tblNtlogSource.SourcenameID =
    tblNtlog.SourcenameID
Where tblAssets.Lastseen > GetDate() - 7 And tblAssetCustom.State = 1
Group By tblAssets.AssetName,
  tblNtlog.Eventcode
Having tblNtlog.Eventcode = 4625

New to Lansweeper?

Try Lansweeper For Free

Experience Lansweeper with your own data.
Sign up now for a 14-day free trial.

Try Now