Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 14065 Source: MicrosoftISAServerControl

Level
Description
Alert Service: One or more of the actions associated with alert Intrusion detected has failed. Failure are linked to configuration settings. The mail server may be down, or the specified command may not exist. Check the Event Viewer for related errors and fix them accordingly.
Comments
 
This event might occur if the Internet Security and Acceleration (ISA) Server 2000-based computer is not configured to permit the sending of the e-mail message or the SMTP server where you send the message does not allow relaying from your domain, or has an anti-spamming program installed that prevents the receipt of the e-mail message. See ME293310 to resolve this problem.
This event can also occur during a server startup/shutdown sequence if any ISA Alert actions are configured to send email (See ISA Management MMC\Servers & Arrays\<server name>\Monitoring Configuration\Alerts).
During startup/shutdown, if the SMTP server specified in an “ISA Alert Actions” tab (or another dependent service) is unavailable when an ISA Alert fires, no email message can be sent and thus the Alert Action fails, triggering the "Alert Action failure" alert to fire.
Event 14065 is especially likely to occur on machines where the ISA Server and the SMTP server reside on the same machine, because various services start/stop in various orders, possibly breaking dependencies between themselves, causing ISA alerts to fire.
Example: you have the "Service shutdown" alert configured to fire when ISA services stop, and the alert is configured to send email when the alert fires. You also have the "Alert action failure" alert configured to fire when an alert action fails. During a normal shut down sequence, the "Service shutdown" alert will fire and send an email, but if the SMTP service has shut down first, then no mail can be sent and so the "Alert action failure" alert therefore fires, logging 14065 in the Application Event Log.
In this case, the event can safely be ignored; further, it may be possible to author service dependencies such that services shut down in a prescribed order, but that would be a lot of work for questionable gain.
For a newsgroup post: "I have installed the "Blockattacker" script from ISA Tools but it generates an error when I run it, actually 3 errors: 15102, 11005, and 14065. I just fixed this problem. First off, the ".vbs" script should be run under the local system account. Next, you have 2 choices:
1. Place double quotes around the folder path to the script in the intrusion detected alert or,
2. Place the ".vbs" script should be in a folder path that doesn't have any spaces.
If you notice from the second error message, it is trying to execute a dos command pointing to a folder path with spaces. This will not work in dos without quotes surrounding the entire path. It took me a while to figure this out. The script works like a champ though now".

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...