Account Lockout Examiner does not notify about account lockouts although Notifications are enabled.
An e-mail notification is sent only when an actual lockout security event is tracked.
There are two possible reasons why notifications typically are not sent – either lockout is not tracked, or there are some errors during sending of the notification.
To make sure that an actual lockout event is tracked, make sure that the lockout timestamp is correct. If it is not, then please refer to the following KB article https://kb.netwrix.com/2763
If the lockout timestamp is correct, then a notification should be sent.
First of all make sure all settings are correct:
- Go to File – Settings – Notifications
- Check mail server address and port.
- Your mailserver should accept anonymous SMTP connections. Test with telnet if it is possible to connect on the specified port.
- Make sure that there is no firewall or antivirus software blocking inbound and outbound connections
If all the settings are correct, then the easiest way to find out the error is to review the product log.
NOTE. If you have a valid support contract you can submit a support ticket and send the log to Netwrix Support.
By default it is located in C:Program Files (x86)NetWrixAccount Lockout ExaminerTracingALEService.log
Scroll to the very bottom and search for the “NOTIFICATIONS” text in the Up direction.
NOTE. Messages of Notification type are logged only in case an error occurred. If there are no such messages, than either there were no errors during notification sending, or the product did not try to send it at all – there were no lockout events tracked.
When you find the corresponding “NOTIFICATIONS” message, the error message is listed in the second line, for example:
System.Net.Mail.SmtpException: Failure sending mail. —> System.Net.WebException: Unable to connect to the remote server —> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond
at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Int32 timeout, Exception& exception)
— End of inner exception stack trace —