Pulling AD Lockout Alerts via PowerShell Script in LM

Question

Greetings,

We are transitioning from SolarWinds to LM.&nbsp; In SolarWinds via Application monitoring we were running a PowerShell script that generated alerts on locked out Service Accounts from a specific OU.&nbsp; I initially created an Event Source to alert on Security Event ID 4740 with a corresponding Alert rule but it alerts me on all accounts.&nbsp; I have the PS script that if ran solo will pull the information I'm looking for but I would like to integrate it into LM Alerting and not to sure how to.&nbsp; We are fairly new to the product.&nbsp; Any Help would be appreciated.

Answer

Welcome to LM!

You're on the right track with the EventSource, but you'll want to make it a scripted EventSource. Normally, this would be done in Groovy, but you can do it in any language, provided the Collector can execute it from the command line. More information here&nbsp;and here. Essentially, you will need to modify your script to match the output format that LogicMonitor expects. That part should be pretty trivial.

When building the EventSource, you'll need to choose the "Script Event" Type and select "Upload Script file". You'll upload your script to LM, which will cause it to be pushed to any collector executing this task. The "Windows Script" field will point to powershell.exe (use the full path). Your uploaded script will be found in the lib subdirectory of the LogicMonitor program directory. So in the "Parameters" field, you'll point to your script (i.e. "C:\Program Files\logicmonitor\lib\adlockout.ps1". When the task is run, the two are concatenated onto the command line. Command calls powershell who runs the PS1 script.&nbsp; As long as your output syntax is correct, it should generate one alert for each entry in your output.

rosario_gambard · Answer

23 hours ago, Stuart Weenig said:

Welcome to LM!

You're on the right track with the EventSource, but you'll want to make it a scripted EventSource. Normally, this would be done in Groovy, but you can do it in any language, provided the Collector can execute it from the command line. More information here&nbsp;and here. Essentially, you will need to modify your script to match the output format that LogicMonitor expects. That part should be pretty trivial.

When building the EventSource, you'll need to choose the "Script Event" Type and select "Upload Script file". You'll upload your script to LM, which will cause it to be pushed to any collector executing this task. The "Windows Script" field will point to powershell.exe (use the full path). Your uploaded script will be found in the lib subdirectory of the LogicMonitor program directory. So in the "Parameters" field, you'll point to your script (i.e. "C:\Program Files\logicmonitor\lib\adlockout.ps1". When the task is run, the two are concatenated onto the command line. Command calls powershell who runs the PS1 script.&nbsp; As long as your output syntax is correct, it should generate one alert for each entry in your output.

Thank you for your response Stuart.&nbsp; So when I go to EventSource and click add, I don't see the option "Script Event".&nbsp; Am I looking in the wrong spot?

rosario_gambard · Answer

3 minutes ago, Rosario Gambardella said:

Thank you for your response Stuart.&nbsp; So when I go to EventSource and click add, I don't see the option "Script Event".&nbsp; Am I looking in the wrong spot?

Never mind found it.&nbsp; I should try to read the KB.&nbsp; Thanks

&nbsp;

rosario_gambard · Answer

4 hours ago, Rosario Gambardella said:

Never mind found it.&nbsp; I should try to read the KB.&nbsp; Thanks

&nbsp;

Does the script output get inserted into the Powershell script on the last line?&nbsp; I'm using the example in the Knowledge Base&nbsp;

{"events":[{"happenedOn":"Thu Jan 21 14:25:00 PST 2016","severity":"Warn","message":"This is the message of the event","source":"Custom"}]}

Answer

When using "script" as the method, you provide the powershell script and make sure that your script outputs to stdout (through "Write-Content" or any of a couple other methods). So, your PS script will run on the collector, connect to whatever resource where you would normally run it, run the script, gather the results, format it as json, and output it to the "screen" (the stdout pipe). LM watches the stdout stream and any properly formatted json will result in event(s) being created.&nbsp; I'm not a PS guy, but i believe there are native cmdlets that let you take data and convert it to json.

Notice that in the json, the "events" object is followed directly by a [. This means that the json can contain a list of events. So, if your script would normally pick up on 4 things that need to be turned into alerts, it might look like this:

{
  "events": [
    {
      "happenedOn": "Thu Jan 21 14:25:00 PST 2016",
      "message": "This is the message of the event",
      "severity": "Warn",
      "source": "Custom"
    },
    {
      "happenedOn": "Thu Jan 21 14:26:00 PST 2016",
      "message": "This is the message of the 2nd event",
      "severity": "Warn",
      "source": "Custom"
    },
    {
      "happenedOn": "Thu Jan 21 14:27:00 PST 2016",
      "message": "This is the message of the 3rd event",
      "severity": "Warn",
      "source": "Custom"
    },
    {
      "happenedOn": "Thu Jan 21 14:28:00 PST 2016",
      "message": "This is the message of the 4th event",
      "severity": "Warn",
      "source": "Custom"
    }
  ]
}

&nbsp;

Forum Discussion

Pulling AD Lockout Alerts via PowerShell Script in LM

Related Content

Batch PowerShell Script

DataSource with PowerShell script

Pulling all certificates from internal CA

Pulling SSL certs from a local Certificate store

pull csv report via rest api

Recent Discussions

Dashboard updates

Non-Administrator Users Unable To Manage Resource Threshold

CIM vs. WMI as native 'Source type

Ideas for devices generating a lot of alerts

complex Datapoint that shows max Value