It is a little involved. Here is the basic outline, keep in mind it's been a while since I did this so I might miss a step.
First you need to create the log file itself.
- Go to policy
- Click the settings tab
- On the left under 'Engines' find the 'File System Logging' section.
- Right click 'File System Logging' and click add.
I called mine FailedAuth.log for the file name. Mostly I took the default settings with the exception of customizing my log rotation a little bit.
Now that you've got a log file you need to trigger something to actually write to it. We do this from the Log Handler section under Rule Sets. Here I highly reccomend copying another log handler. The language on the event to write out the log is pretty specific and a little confusing so it's best to borrow where you can from already functioning rules.
- Right click 'Default' at the top and click add, Rule Set.
- This is where the magic happens, select your new ruleset. Click edit on the right hand pane.
- Under criteria add that property 'Authentication.FailureReason.ID' equals 3
- Once done there find a rule to borrow, i used the one from access denied log. Click it and use the copy button to make a copy of it.
- Click on your ruleset and click paste.
- Almost there, now we just need to edit the rule slightly. Highlight the rule and click edit.
- Under step 4 'Events' scroll all the way to the bottom. There should be an event there for 'FileSystemLogging.WriteLogEntry'. Double click that.
- On the right hand side of that window is a 'Settings' selection. You should be able to select the new log you created in the first set of steps from here.
Make sure everything is enabled and save changes. You shoulld be good to go.
Hi John and others,
Here is the ruleset you seek:
The attached ruleset is a log ruleset which will allow you to monitor for failed authentication attempts. The resulting log will be created and will be accessible under Troubleshooting > Log Files > badpassword.log.
You can import the ruleset under Policy > Rulesets > Log Handler (bottom left), then select the "Default" log handler, click "Add" > Ruleset From library, then "Import from File", and browse for the ruleset uncompressed ruleset xml attached.