Re: Audit Account Logon Events, Client IP address incorrect?

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Lori (Lori_at_discussions.microsoft.com)
Date: 12/15/04 

Date: Wed, 15 Dec 2004 05:57:05 -0800

Thanks Herb! Now I at least have an explanation for the "powers that be"
when they look at the logs.

Lori

"Herb Martin" wrote:

> "Lori" <Lori@discussions.microsoft.com> wrote in message
> news:40C60175-847A-47F1-A829-F486907C862C@microsoft.com...
> > Hi,
> >
> > We recently set up an audit policy to audit failed account logon events
> for
> > our domain controllers. If I look at the logs, I can see Event ID 675 for
> > the failed logons. However, when I look at the detail, the Client IP
> address
> > does not have the address of the client, but instead the IP of one of the
> > domain controllers (and often not even the closest DC). For example, I
> > deliberately entered a bad password to log onto a client at IP address
> > 192.168.22.126. The Security log on the local DC showed Event ID 675 for
> the
> > userID I used, but the Client IP address shows as 192.168.7.17 which is a
> DC
> > at a remote location.
> >
> > Can anyone help me understand why this is happening?
>
> Probably because historically logon might happen over
> any supported network protocol so these events never
> included the IP address (it might not even have been IP.)
>
> It is sort of silly these days, but it's one of those things
> (I believe) the developers know needs improving.
>
> When I have a bad logon attempt, I would much prefer
> to know the IP address of the offender -- if he's on my
> network I can find him with that but if he is NOT on
> my network I have no chance of finding him by NetBIOS
> name or some other irrelevant information.
>
>
> --
> Herb Martin
>
>
> >
> > Thanks so much!
>
>
>

Relevant Pages

  • Re: Log file full of security problems!
    ... having with my small peer-to-peer network. ... Primary User Name: Mark ... Primary Logon ID: ... Disable the logging for the time being; Clear the logs or copy them to ...
    (microsoft.public.windowsxp.network_web)
  • RE: Anon Logon Events 538/540
    ... The event 540 logs the Successful Network Logon and the event 538 logs the ... Successful Network Logoff. ... Windows 2000, and Windows XP) ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Audit Account Logon Events, Client IP address incorrect?
    ... "Herb Martin" wrote in message ... The next step is to run an IDS but that is a LOT of work UNLESS you will actively read and use the logs. ... I really should have written a Perl program to do that (probably something simple based on time stamps would get me close.) -- ... >> Probably because historically logon might happen over ...
    (microsoft.public.win2000.active_directory)
  • Re: Audit Account Logon Events, Client IP address incorrect?
    ... Find Account Logon or Logon events in event log ... Find messages of the relevant types in Snort log ... Herb Martin> ... Now I at least have an explanation for the "powers that be">> when they look at the logs. ...
    (microsoft.public.win2000.active_directory)
  • RE: security logon failures
    ... Network Windows logs logon. ... server through IIS resource, such as OWA and RWW with different username ...
    (microsoft.public.windows.server.sbs)