9 replies to this topic

[acatic]

My ALE (v4.1.417.0 running on Server 2012 R2) does not send email alerts for lockouts that happen on Windows machines.  In the 'ALEService' log file, it generates "Failed to resolve sid by dc SERVERNAME". 

 

Four internal DCs are monitored (3 are 2012 R2, 1 is 2008 R2), and they all show Connection as 'OK'.  Also, ALE detects the lockouts, and processes unlocks.  It just doesn't email the notifications for Windows-based lockouts.

 

It does send notifications when a user locks out on a non-domain device via RADIUS.

 

The timing of this coincided with my Netwrix service account being put into a 'Deny Local Logon' policy, while still retaining domain admin permissions.

 

I had since reverted that change, but still no notifications. 

 

SMTP is fine; ALE is running on the SMTP server itself, and uses the same SMTP settings as Auditor, installed on same machine. 

 

Thanks for any assistance in getting my helpful notifications back. 

[jeffb]

Hello,

 

Could you go to www.netwrix.com/upload and upload the ALEService.log file referenced above?  In the body of the message for upload just put ATTN: ALE Forums.  Thanks!

 

-Jeff

[acatic]

Flies uploaded now, thank you!  (Sorry, was on vac last week. )

[jeffb]

Sorry I don't see them but that upload service has changed quite a bit so it can be harder to find them now.

 

What is the domain name in the email address that uploaded the files?

 

-Jeff

[acatic]

niagaraparks.com

 

I can forward you the URL that hightail emailed me in its upload confirmation. 

 

Thanks for all efforts!

[acatic]

PS, is it possible to have email notifications of forum posts?

[jeffb]

You can follow the forum thread as seen at the top of this page:

 

http://prntscr.com/fp5qk5

 

By the way our alerts for our upload service are working now so just go ahead and re-upload and i will see them.

 

-Jeff

[acatic]

Oh dear.  Ok, I just got back to this.  Also, I now selected to 'Follow this topic'.  (I'm used to thread notifications being on by default at other forums, sorry.)

 

I've now uploaded a new file. 

 

VIEW FILES

 

I just deleted one aleservice.log this week as it reached 30GB.  I don't have a record of the original one that I uploaded.  The current one is only 840KB.  Let's see if it has what we need.

 

Thanks for all help!

[jeffb]

Is the server you have ALE on in the niagaraparks.nf domain?  Since there are multiple DCs that cannot be resolved, this is indicative of a lack of a 2 way trust between 2 domains or a dns issue.

 

-Jeff

[acatic]

Single domain here, and that server is on it.  The server also acts as our central internal SMTP server.  ALE shows all four of our domain controllers with a green checkmark.  Thoughts?

 

Thanks for all efforts and insight!