Esta regra recolhe eventos do relatório de Falhas de Autenticação de Conta do Computador do AD. Os dados são gerados através da captura de eventos Netlogon do Registo do sistema com o ID de Evento 5805.
Esta regra está desativada por predefinição, já que tende a gerar muitos dados em ambientes de grande dimensão e existem muitas razões que explicam a falha de autenticação de uma conta de computador. Ignorar este alerta para iniciar a captura destes eventos.
Para mais informações, consulte:
Target | Microsoft.Windows.Server.2012.R2.AD.DomainControllerRole |
Category | EventCollection |
Enabled | False |
Event_ID | 5805 |
Event Source | NetLogon |
Alert Generate | False |
Remotable | True |
Event Log | System |
Comment | Mom2005ID='{2C6970E8-A83B-4329-9CD1-1081754CCC1D}';MOM2005GroupID= |
ID | Module Type | TypeId | RunAs |
---|---|---|---|
DS | DataSource | Microsoft.Windows.EventProvider | Default |
CollectEventData | WriteAction | Microsoft.SystemCenter.CollectEvent | Default |
CollectEventDataWarehouse | WriteAction | Microsoft.SystemCenter.DataWarehouse.PublishEventData | Default |
<Rule ID="Report_Collection___Machine_Account_Authentication_Failures_5_Rule" Comment="Mom2005ID='{2C6970E8-A83B-4329-9CD1-1081754CCC1D}';MOM2005GroupID=" Enabled="false" Target="AD2012R2Core!Microsoft.Windows.Server.2012.R2.AD.DomainControllerRole" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>EventCollection</Category>
<DataSources>
<DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>System</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>5805</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>NetLogon</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="CollectEventData" TypeID="SC!Microsoft.SystemCenter.CollectEvent"/>
<WriteAction ID="CollectEventDataWarehouse" TypeID="SCDW!Microsoft.SystemCenter.DataWarehouse.PublishEventData"/>
</WriteActions>
</Rule>