I'd like to check my domain controllers (DCs) every day for failed attempts to log on to the DC (failed events in the Logon/Logoff category), failed authentication attempts throughout the domain (event IDs 675 and 681), and account lockouts (event ID 644). The filtering feature of the Event Viewer (eventvwr.exe) lets me display only one event type at a time, and changing the view three times a day becomes onerous. Do you know of a better way?
Yes. The Eventvwr tool lets you create multiple views of each log you open. You can customize the filter criteria for each view, then save your settings in a Microsoft Management Console (MMC) console, which will recreate all the views and filter criteria each time you reopen it.
First, create a new MMC console. Select Console, Add/Remove Snap-in, then click Add to open the Add Standalone Snap-in window. Select Event Viewer from the Available Standalone Snap-ins list, and click Add to open the Select Computer window. Select Another Computer and enter the name of your first DC. Click Finish.
Repeat the process to add additional instances of the Event Viewer snap-in to the console for each of your DCs. Click Close in the Add Standalone Snap-in window, and click OK in the Add/Remove Snap-in window. In the tree pane of the main console window, double-click the first instance of Event Viewer, right-click Security, and select New Log View to create another view of the Security log called Security (2), as Figure 1 shows. Right-click Security (2), select Rename, and enter Failed Kerberos Pre-Authentication. Right-click Failed Kerberos Pre-Authentication, select View\Filter, enter 675 in the Event ID field, and click OK.
Next, create another Security log view called Failed NTLM Authentication and filter it for event ID 681. This time, configure the filter to limit event types to Failure audit, and set Event source to Security and Category to Logon/Logoff, as Figure 2 shows. Create one more view called Account Lockouts and filter it for event ID 644. Repeat the process for the other instances of Event Viewer so that you have the same views for each DC. Finally, click File, Save As and name your new console. By default, MMC saves new consoles to Administrative Tools on the Start menu. Now, you can simply open your console each morning and check the logs without having to change filters.
