Forum Discussion

Rosario_Gambard's avatar
Rosario_Gambard
3 years ago

Pulling AD Lockout Alerts via PowerShell Script in LM

Greetings,

We are transitioning from SolarWinds to LM.  In SolarWinds via Application monitoring we were running a PowerShell script that generated alerts on locked out Service Accounts from a specific OU.  I initially created an Event Source to alert on Security Event ID 4740 with a corresponding Alert rule but it alerts me on all accounts.  I have the PS script that if ran solo will pull the information I'm looking for but I would like to integrate it into LM Alerting and not to sure how to.  We are fairly new to the product.  Any Help would be appreciated.

5 Replies

Sort By
  • Anonymous's avatar
    Anonymous
    3 years ago

    Welcome to LM!

    You're on the right track with the EventSource, but you'll want to make it a scripted EventSource. Normally, this would be done in Groovy, but you can do it in any language, provided the Collector can execute it from the command line. More information here and here. Essentially, you will need to modify your script to match the output format that LogicMonitor expects. That part should be pretty trivial.

    When building the EventSource, you'll need to choose the "Script Event" Type and select "Upload Script file". You'll upload your script to LM, which will cause it to be pushed to any collector executing this task. The "Windows Script" field will point to powershell.exe (use the full path). Your uploaded script will be found in the lib subdirectory of the LogicMonitor program directory. So in the "Parameters" field, you'll point to your script (i.e. "C:\Program Files\logicmonitor\lib\adlockout.ps1". When the task is run, the two are concatenated onto the command line. Command calls powershell who runs the PS1 script.  As long as your output syntax is correct, it should generate one alert for each entry in your output.

  • Rosario_Gambard's avatar
    Rosario_Gambard
    3 years ago
    23 hours ago, Stuart Weenig said:

    Welcome to LM!

    You're on the right track with the EventSource, but you'll want to make it a scripted EventSource. Normally, this would be done in Groovy, but you can do it in any language, provided the Collector can execute it from the command line. More information here and here. Essentially, you will need to modify your script to match the output format that LogicMonitor expects. That part should be pretty trivial.

    When building the EventSource, you'll need to choose the "Script Event" Type and select "Upload Script file". You'll upload your script to LM, which will cause it to be pushed to any collector executing this task. The "Windows Script" field will point to powershell.exe (use the full path). Your uploaded script will be found in the lib subdirectory of the LogicMonitor program directory. So in the "Parameters" field, you'll point to your script (i.e. "C:\Program Files\logicmonitor\lib\adlockout.ps1". When the task is run, the two are concatenated onto the command line. Command calls powershell who runs the PS1 script.  As long as your output syntax is correct, it should generate one alert for each entry in your output.

    Thank you for your response Stuart.  So when I go to EventSource and click add, I don't see the option "Script Event".  Am I looking in the wrong spot?

  • Rosario_Gambard's avatar
    Rosario_Gambard
    3 years ago
    3 minutes ago, Rosario Gambardella said:

    Thank you for your response Stuart.  So when I go to EventSource and click add, I don't see the option "Script Event".  Am I looking in the wrong spot?

    Never mind found it.  I should try to read the KB.  Thanks

     

  • Rosario_Gambard's avatar
    Rosario_Gambard
    3 years ago
    4 hours ago, Rosario Gambardella said:

    Never mind found it.  I should try to read the KB.  Thanks

     

    Does the script output get inserted into the Powershell script on the last line?  I'm using the example in the Knowledge Base  

    {"events":[{"happenedOn":"Thu Jan 21 14:25:00 PST 2016","severity":"Warn","message":"This is the message of the event","source":"Custom"}]}
  • Anonymous's avatar
    Anonymous
    3 years ago

    When using "script" as the method, you provide the powershell script and make sure that your script outputs to stdout (through "Write-Content" or any of a couple other methods). So, your PS script will run on the collector, connect to whatever resource where you would normally run it, run the script, gather the results, format it as json, and output it to the "screen" (the stdout pipe). LM watches the stdout stream and any properly formatted json will result in event(s) being created.  I'm not a PS guy, but i believe there are native cmdlets that let you take data and convert it to json.

    Notice that in the json, the "events" object is followed directly by a [. This means that the json can contain a list of events. So, if your script would normally pick up on 4 things that need to be turned into alerts, it might look like this: 

    {
  "events": [
    {
      "happenedOn": "Thu Jan 21 14:25:00 PST 2016",
      "message": "This is the message of the event",
      "severity": "Warn",
      "source": "Custom"
    },
    {
      "happenedOn": "Thu Jan 21 14:26:00 PST 2016",
      "message": "This is the message of the 2nd event",
      "severity": "Warn",
      "source": "Custom"
    },
    {
      "happenedOn": "Thu Jan 21 14:27:00 PST 2016",
      "message": "This is the message of the 3rd event",
      "severity": "Warn",
      "source": "Custom"
    },
    {
      "happenedOn": "Thu Jan 21 14:28:00 PST 2016",
      "message": "This is the message of the 4th event",
      "severity": "Warn",
      "source": "Custom"
    }
  ]
}